←back to thread

Less is safer: How Obsidian reduces the risk of supply chain attacks

(obsidian.md)
429 points saeedesmaili | 5 comments | 19 Sep 25 22:02 UTC | HN request time: 0.026s | source
Show context
gejose ◴[19 Sep 25 23:42 UTC] No.45308131[source]
This is one way to look at it, but ignores the fact that most users use third party community plugins.

Obsidian has a truly terrible security model for plugins. As I realized while building my own, Obsidian plugins have full, unrestricted access to all files in the vault.

Obsidian could've instead opted to be more 'batteries-included', at the cost of more development effort, but instead leaves this to the community, which in turn increases the attack surface significantly.

Or it could have a browser extension like manifest that declares all permissions used by the plugin, where attempting to access a permission that's not granted gets blocked.

Both of these approaches would've led to more real security to end users than "we have few third party dependencies".

replies(19): >>45308149 #>>45308208 #>>45308212 #>>45308222 #>>45308224 #>>45308241 #>>45308572 #>>45308600 #>>45308749 #>>45310219 #>>45310642 #>>45310881 #>>45310991 #>>45311185 #>>45311760 #>>45311782 #>>45312975 #>>45313054 #>>45314194 #
1. hahn-kev ◴[20 Sep 25 06:12 UTC] No.45310881[source]
It's no worse than vscode. Sure there's permissions, but it's super common for an extension to start a process and that process can do anything it wants.
replies(3): >>45310885 #>>45310970 #>>45311166 #
2. endorphine ◴[20 Sep 25 06:13 UTC] No.45310885[source]
And why is VSCode our baseline?
replies(1): >>45311562 #
3. thund ◴[20 Sep 25 06:31 UTC] No.45310970[source]
Plus vscode is maintained by a company with thousands of devs. Obsidian is less than 10 people, which is amazing. About plugins why blame the product, pls check what you install on your machine instead
4. bdzr ◴[20 Sep 25 07:08 UTC] No.45311166[source]
It's *significantly* worse than vscode. vscode is at least attempting to grapple the problem: https://code.visualstudio.com/docs/configure/extensions/exte....
5. wiseowise ◴[20 Sep 25 08:36 UTC] No.45311562[source]
Because it is one of the most popular dev tools out there? If not the most popular. It also uses Electron, like Obsidian. Has thousands of plugins, like obsidian.