Thanks for the response. Yes I had seen some prior similar responses, but I still think some help for users to understand the risks could usefully be included in the Help - rather than leaving the information buried in a long thread like this.

Have any of the YouTube channels covering Obsidian made any videos related to security that might help me investigate further?

I do understand there are technical limitations, and that Obsidian has chosen a certain development path, but as you know online fraud, malware and data theft is a very real issue of concern to many people.

2 Likes

There is a pretty clear statement about risks when you disable safe mode.

Which is why I didn’t. My points still stand.

1 Like

Which points?

What more information is needed to understand the risks of the message when you disable safe mode and what is continued here https://help.obsidian.md/Advanced+topics/Community+plugins#Plugin+security?

you can contribute to the docs here: https://github.com/obsidianmd/obsidian-docs

2 Likes

Okay, thanks. I imagine you’re referring to this from your link (which I’ve seen already, along with the ‘safety’ tab):

Due to technical reasons with our platform, we’re unable to restrict plugins to a specific permission or access level. Since we offer Obsidian for free, currently we’re unable to manually review each plugin.

The good news is that Obsidian has an amazing and passionate community, so we rely on community trust to ensure security of community plugins.

I came to Obsidian, and this forum, for that amazing community. But I respectfully, and politely, disagree that trust is the solution to security.

Please understand, that I get that the app is free. I hope you also understand that not everyone who is using Obsidian is here just because it’s free. Personally I came because I’d heard about that amazing community, from SweetSetup and others, and thought it was a neat solution. My disappointment in the security gaps is therefore coming from a place of loving the Obsidian concept, not a place of trying to be difficult.

1 Like

That is completely valid position to hold.

Since you were claiming that there is a lack of transparency about plugin risks in the app/docs, I was just trying to what exactly are you referring to and what more should we add. What is buried in this thread that is not covered at high level in the app/docs?

2 Likes

Could I ask if I’m understanding this correctly, specifically how turning off Safe Mode works? I searched but didn’t find the answer.

Turning off Safe Mode, I presume, doesn’t automatically turn on all community plugins? Is the process similar to Core Plugins, where one can turn on/off plugins? So, if I turn off Safe Mode, I now get access to (a list of) community plugins. I can then choose to turn on a specific plugin? So I’m accepting the risk of that one plugin, not all plugins?

Thanks for your clarification. :slight_smile:

Yes. Mostly.
Turning off safe mode gives you access, and you can download the individual plugins you choose.
There’s a further switch where you can turn individual plugins on or off.

3 Likes

Thanks, Dor, that’s very helpful to know.

FWIW, since the warning about plugins is general, I understood this as signaling that just turning off Safe Mode would open a kind of Pandora’s box. Would it be useful to rephrase, or add a phrase like (additions in italics):

Turning off Safe Mode allows you to download and turn on/off plugins created by community members.

Community plugins can access files on your computer, connect the internet, and even install additional programs. They can also be faulty and cause data corruption or data loss. [? Possibly add: See [link] for guides on how to evaluate the safety of third-party plugins.]

Would you like to disable Safe Mode to allow access to these third-party plugs? Before downloading and activating any third-party plugin, make sure you have set up backups of your vault in case plugs malfunction and wipe your notes.

(My ex-technical writer hat is rusty…still thinking (if it’s helpful).)

Mozilla has a nice article (on evaluating the safety of Firefox extensions) that could be a useful model for addressing this question of Obsidian plugins safety. The link could be offered as a general of guide for how to think about evaluating third-party plugins or extensions. (Obviously, Mozilla has a lot more resources for vetting extension safety.)

Thanks again.

2 Likes

Thanks @Laina for your feedback.

One option to keep in mind is that plugins and settings are loaded on a per-vault basis. If some vaults are more sensitive than others, it may be reasonable to run some vaults with safe mode on, and others with it off.

2 Likes