Topic: [Client Plugins] Disable/Enable plugins per account (Read 6679 times)

HolgerD77 · « **on:** May 15, 2015, 11:17:29 am »

Hi guys,
I have added one extra measure of security for plugins, which is the ability to disable/enable plugins by account in the settings.

This should increase security level a lot, it is now possible to have plugins disabled for accounts storing larger amounts of NXT and just use plugins together with the everyday-spending-account. Before this change this actually COULD be done already by always deactivating plugins on startup for certain accounts, but this is a huge mental task tied to every login and chances are high that this will be forgotten at some point.

Default settings for plugins are now being "disabled", otherwise it would make no sense, but it is very easy to switch and also visible for users what to do, so this shouldn't be limiting adoption.

Cheers
Holger

Tosch110 · « **Reply #1 on:** May 15, 2015, 11:21:25 am »

Nice, I am looking forward to try this out! Looks like you are making great progress towards a very secure plugin usage in the future. Very good!

HolgerD77 · « **Reply #2 on:** May 15, 2015, 11:28:53 am »

Thanks. :-)

(btw: this didn't make it into the current 1.5.8e release yet)

Omega · « **Reply #3 on:** May 28, 2015, 02:11:09 am »

I want to be clear about this. Before I wade into the plug-in realm. I love next but I am not aiming to be an incredibly technical user.

So long as a NXT account has its plug-ins deactivated, that account is "secure" from third parties whose plug-ins I have added to my desktop client folder?

If I turned those plug-ins on for that account, is that account compromised forever to those third parties, just for that session, or until I turn the plug-ins back off?

I have no problem having a "functional account" and an account where I keep my assets and the majority of the NXT balance, but I want to be sure about all of this.

Thanks!

HolgerD77 · « **Reply #4 on:** May 28, 2015, 07:25:12 am »

Quote from: Omega on May 28, 2015, 02:11:09 am

I want to be clear about this. Before I wade into the plug-in realm. I love next but I am not aiming to be an incredibly technical user.

So long as a NXT account has its plug-ins deactivated, that account is "secure" from third parties whose plug-ins I have added to my desktop client folder?

If I turned those plug-ins on for that account, is that account compromised forever to those third parties, just for that session, or until I turn the plug-ins back off?

I have no problem having a "functional account" and an account where I keep my assets and the majority of the NXT balance, but I want to be sure about all of this.

Thanks!

Yes, as long as plugins are deactivated in the settings, your account can't be compromised by 3rd party plugins, there is no code from plugins touched then/loaded into the system.

If plugins are set to "Disabled" for the account in the settings, they are ALWAYS disabled for the account.

There is an exception in Safari due to limited web database support, settings are not stored on a per-user basis there, so try to avoid using Safari for the Nxt client if you have several accounts you switch between. There is a big warning though for this, so people shouldn't miss if on Safari.

Omega · « **Reply #5 on:** May 28, 2015, 04:17:06 pm »

Thanks for the info. One more thing to clear up though. Earlier comments made it seem that if plug-ins are activated, then they can directly access your pass-phrase. That implies that my account is theoretically "compromised" if the plug-ins are ever turned on, even if I deactivate them later, as the plug-in creator may potentially know what my pass-phrase is.

Is this the case or am I missing something?

Thanks for your speedy response btw.

HolgerD77 · « **Reply #6 on:** May 28, 2015, 07:47:48 pm »

Quote from: Omega on May 28, 2015, 04:17:06 pm

Thanks for the info. One more thing to clear up though. Earlier comments made it seem that if plug-ins are activated, then they can directly access your pass-phrase. That implies that my account is theoretically "compromised" if the plug-ins are ever turned on, even if I deactivate them later, as the plug-in creator may potentially know what my pass-phrase is.

Is this the case or am I missing something?

Thanks for your speedy response btw.

No, this is the case. If you once had used an account with a plugin that you learned later had compromising code in it, don't use this account EVER again for transfering larger amounts of NXT, and additionally move existing larger amounts of NXT to another account as soon as possible.

One attacker strategy actually could be, to first collect passphrases and then later expoit them. So it is not enough to just deactivate/delete a malicous plugin and feel save again (also depending on the exact malicious code functionality).

I would generally advice to have a separate account for plugin use and/or only install plugins from trusted/curated sources (e.g. http://nxtplugins.com could be such a source, we will see...).

Omega · « **Reply #7 on:** May 29, 2015, 04:19:23 pm »

Alright this all makes sense now. Really appreciate that you took the time to answer this non-technical guy's questions. : D

Nxter · « **Reply #8 on:** May 29, 2015, 05:10:46 pm »

Could a malicious plugin modify the NRS so the malicious code is executed even when the malicious plugin is deactivated?

toenu · « **Reply #9 on:** May 29, 2015, 05:52:37 pm »

Quote from: Nxter on May 29, 2015, 05:10:46 pm

Could a malicious plugin modify the NRS so the malicious code is executed even when the malicious plugin is deactivated?

No, the plugin code is executed in your browser, from where the files on the server can't be modified. But I suppose a malicious plugin could mess with the things in local storage (contacts, settings etc.) which would still have an effect when deactivated later.

oakmaster · « **Reply #10 on:** August 17, 2015, 12:43:39 am »

Quote from: HolgerD77 on May 15, 2015, 11:17:29 am

Hi guys,
I have added one extra measure of security for plugins, which is the ability to disable/enable plugins by account in the settings.

This should increase security level a lot, it is now possible to have plugins disabled for accounts storing larger amounts of NXT and just use plugins together with the everyday-spending-account. Before this change this actually COULD be done already by always deactivating plugins on startup for certain accounts, but this is a huge mental task tied to every login and chances are high that this will be forgotten at some point.

Default settings for plugins are now being "disabled", otherwise it would make no sense, but it is very easy to switch and also visible for users what to do, so this shouldn't be limiting adoption.

Cheers
Holger

For some reason I don't know why but I have tried everything I can't get plugins to work at all I tried creating a new account I made sure plugins where enabled in settings I made sure thrd hello world plugin deactivate was changed to false nothing I do or no plugin I install in nxt will not work do you no anyway I can get plugins to work this is driving me crazy i would like to use some of these plugins Id really appreciate it

Sent from my SAMSUNG-SM-N900A using Tapatalk

Switch to ArdorForum

News:

Author Topic: [Client Plugins] Disable/Enable plugins per account (Read 6679 times)

HolgerD77

[Client Plugins] Disable/Enable plugins per account

Tosch110

Re: [Client Plugins] Disable/Enable plugins per account

HolgerD77

Re: [Client Plugins] Disable/Enable plugins per account

Omega

Re: [Client Plugins] Disable/Enable plugins per account

HolgerD77

Re: [Client Plugins] Disable/Enable plugins per account

Omega

Re: [Client Plugins] Disable/Enable plugins per account

HolgerD77

Re: [Client Plugins] Disable/Enable plugins per account

Omega

Re: [Client Plugins] Disable/Enable plugins per account

Nxter

Re: [Client Plugins] Disable/Enable plugins per account

toenu

Re: [Client Plugins] Disable/Enable plugins per account

oakmaster

Re: [Client Plugins] Disable/Enable plugins per account