Security - a plugin that monitors other plugins?

WahWah · 2021-08-10T19:36:32.912Z

Hi everyone,

Very interested but haven’t committed to Obsidian due to ongoing security concerns on the plugin side. This has been covered in some forum threads, that any plugin could have access to any part of your system drive, by design/necessity, and so technically, any plugin could to rogue and leak financial or other data from your machine. The main counterweight to this is people seeing the source at git, and then flagging/alerting on any malicious code. That’s a huge trust to put in other people.

At the same time, plugins are fire. I mean, to me, they are single-handedly creating an obsidian tsunami of great features, and a much faster market adoption of the main product.

But how can enterprises honestly be able to deploy a system with such loose security? But if they ban all plugins but system ones, though, they lose out on a boat-load of cutting edge ideas, features, and functionality.

Could there be, or is there someone looking into a plugin that can act as a supervisor to other plugin activity? Like an ‘endpoint security’ plugin, that can monitor other plugin calls for internet activity, or–?? I’m not software-savvy enough to further flesh out my question…

darth_obsidious · 2021-08-10T20:57:04.961Z

I feel pretty safe with the popular plugins. They’re used enough that people would flag any suspicious behavior.

This is an interesting suggestion, but in the interim I would advise not leaving your system vulnerable and begin partitioning your services and sensitive data to keep them separate. Try not to put passwords and financial information in plaintext on your devices. For instance my passwords are in Bitwarden so I’m fairly confident that even if a plugin snoops on my filesystem, it won’t be able to access password data.

I do think that if a plugin got complicated enough to do complicated hacks - say, keylogging or MITM attacks - or sending that data to somewhere crazy like China - people would begin to notice pretty quickly.

WahWah · 2021-08-19T14:47:53.520Z

Thanks for the thoughts. Interesting that there is so little general interest in talking about this…

Phoenix12 · 2021-08-20T10:15:58.603Z

It simply isn’t possible. A plug-in cannot monitor what other plug-ins are doing. If they could then that in itself would be a potential major security breach. If you use the 'meld encrypt ’ plug-in ( I think that is the name) then you can encrypt any sensitive part of a note while it is in permanent storage and while it is on screen until you choose to decrypt it. It’s not a perfect solution but it works in most situations.