elective-stereophonic
elective-stereophonic
[Client Plugins] Disable/Enable plugins per account singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Author Topic: [Client Plugins] Disable/Enable plugins per account  (Read 6679 times)

HolgerD77

  • Sr. Member
  • ****
  • Karma: +49/-0
  • Offline Offline
  • Posts: 299
    • View Profile
[Client Plugins] Disable/Enable plugins per account
« on: May 15, 2015, 11:17:29 am »

Hi guys,
I have added one extra measure of security for plugins, which is the ability to disable/enable plugins by account in the settings.

This should increase security level a lot, it is now possible to have plugins disabled for accounts storing larger amounts of NXT and just use plugins together with the everyday-spending-account. Before this change this actually COULD be done already by always deactivating plugins on startup for certain accounts, but this is a huge mental task tied to every login and chances are high that this will be forgotten at some point.

Default settings for plugins are now being "disabled", otherwise it would make no sense, but it is very easy to switch and also visible for users what to do, so this shouldn't be limiting adoption.

Cheers
Holger
Logged
NXT-AQ9F-JC4F-NCM2-4JSXZ

Tosch110

  • Hero Member
  • *****
  • Karma: +211/-18
  • Offline Offline
  • Posts: 2365
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #1 on: May 15, 2015, 11:21:25 am »

Nice, I am looking forward to try this out! Looks like you are making great progress towards a very secure plugin usage in the future. Very good!

HolgerD77

  • Sr. Member
  • ****
  • Karma: +49/-0
  • Offline Offline
  • Posts: 299
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #2 on: May 15, 2015, 11:28:53 am »

Thanks. :-)

(btw: this didn't make it into the current 1.5.8e release yet)
Logged
NXT-AQ9F-JC4F-NCM2-4JSXZ

Omega

  • Jr. Member
  • **
  • Karma: +5/-0
  • Offline Offline
  • Posts: 51
  • Banned!
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #3 on: May 28, 2015, 02:11:09 am »

I want to be clear about this.  Before I wade into the plug-in realm.  I love next but I am not aiming to be an incredibly technical user.

So long as a NXT account has its plug-ins deactivated, that account is "secure" from third parties whose plug-ins I have added to my desktop client folder?

If I turned those plug-ins on for that account, is that account compromised forever to those third parties, just for that session, or until I turn the plug-ins back off?

I have no problem having a "functional account" and an account where I keep my assets and the majority of the NXT balance, but I want to be sure about all of this.

Thanks!
Logged

HolgerD77

  • Sr. Member
  • ****
  • Karma: +49/-0
  • Offline Offline
  • Posts: 299
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #4 on: May 28, 2015, 07:25:12 am »

I want to be clear about this.  Before I wade into the plug-in realm.  I love next but I am not aiming to be an incredibly technical user.

So long as a NXT account has its plug-ins deactivated, that account is "secure" from third parties whose plug-ins I have added to my desktop client folder?

If I turned those plug-ins on for that account, is that account compromised forever to those third parties, just for that session, or until I turn the plug-ins back off?

I have no problem having a "functional account" and an account where I keep my assets and the majority of the NXT balance, but I want to be sure about all of this.

Thanks!

Yes, as long as plugins are deactivated in the settings, your account can't be compromised by 3rd party plugins, there is no code from plugins touched then/loaded into the system.

If plugins are set to "Disabled" for the account in the settings, they are ALWAYS disabled for the account.

There is an exception in Safari due to limited web database support, settings are not stored on a per-user basis there, so try to avoid using Safari for the Nxt client if you have several accounts you switch between. There is a big warning though for this, so people shouldn't miss if on Safari.
Logged
NXT-AQ9F-JC4F-NCM2-4JSXZ

Omega

  • Jr. Member
  • **
  • Karma: +5/-0
  • Offline Offline
  • Posts: 51
  • Banned!
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #5 on: May 28, 2015, 04:17:06 pm »

Thanks for the info.  One more thing to clear up though.  Earlier comments made it seem that if plug-ins are activated, then they can directly access your pass-phrase.  That implies that my account is theoretically "compromised" if the plug-ins are ever turned on, even if I deactivate them later, as the plug-in creator may potentially know what my pass-phrase is. 

Is this the case or am I missing something?

Thanks for your speedy response btw.
Logged

HolgerD77

  • Sr. Member
  • ****
  • Karma: +49/-0
  • Offline Offline
  • Posts: 299
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #6 on: May 28, 2015, 07:47:48 pm »

Thanks for the info.  One more thing to clear up though.  Earlier comments made it seem that if plug-ins are activated, then they can directly access your pass-phrase.  That implies that my account is theoretically "compromised" if the plug-ins are ever turned on, even if I deactivate them later, as the plug-in creator may potentially know what my pass-phrase is. 

Is this the case or am I missing something?

Thanks for your speedy response btw.

No, this is the case. If you once had used an account with a plugin that you learned later had compromising code in it, don't use this account EVER again for transfering larger amounts of NXT, and additionally move existing larger amounts of NXT to another account as soon as possible.

One attacker strategy actually could be, to first collect passphrases and then later expoit them. So it is not enough to just deactivate/delete a malicous plugin and feel save again (also depending on the exact malicious code functionality).

I would generally advice to have a separate account for plugin use and/or only install plugins from trusted/curated sources (e.g. http://nxtplugins.com could be such a source, we will see...).
Logged
NXT-AQ9F-JC4F-NCM2-4JSXZ

Omega

  • Jr. Member
  • **
  • Karma: +5/-0
  • Offline Offline
  • Posts: 51
  • Banned!
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #7 on: May 29, 2015, 04:19:23 pm »

Alright this all makes sense now.  Really appreciate that you took the time to answer this non-technical guy's questions.  : D
Logged

Nxter

  • Hero Member
  • *****
  • Karma: +61/-7
  • Offline Offline
  • Posts: 597
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #8 on: May 29, 2015, 05:10:46 pm »

Could a malicious plugin modify the NRS so the malicious code is executed even when the malicious plugin is deactivated?
Logged

toenu

  • Full Member
  • ***
  • Karma: +52/-1
  • Offline Offline
  • Posts: 231
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #9 on: May 29, 2015, 05:52:37 pm »

Could a malicious plugin modify the NRS so the malicious code is executed even when the malicious plugin is deactivated?

No, the plugin code is executed in your browser, from where the files on the server can't be modified. But I suppose a malicious plugin could mess with the things in local storage (contacts, settings etc.) which would still have an effect when deactivated later.
« Last Edit: May 29, 2015, 05:54:56 pm by toenu »
Logged

oakmaster

  • Newbie
  • *
  • Karma: +0/-0
  • Offline Offline
  • Posts: 13
    • View Profile
Re: [Client Plugins] Disable/Enable plugins per account
« Reply #10 on: August 17, 2015, 12:43:39 am »

Hi guys,
I have added one extra measure of security for plugins, which is the ability to disable/enable plugins by account in the settings.

This should increase security level a lot, it is now possible to have plugins disabled for accounts storing larger amounts of NXT and just use plugins together with the everyday-spending-account. Before this change this actually COULD be done already by always deactivating plugins on startup for certain accounts, but this is a huge mental task tied to every login and chances are high that this will be forgotten at some point.

Default settings for plugins are now being "disabled", otherwise it would make no sense, but it is very easy to switch and also visible for users what to do, so this shouldn't be limiting adoption.

Cheers
Holger
For some reason I don't know why but I have tried everything I can't get plugins to work at all I tried creating a new account I made sure plugins where enabled in settings I made sure thrd hello world plugin deactivate was changed to false nothing I do or no plugin I install in nxt will not work do you no anyway I can get plugins to work this is driving me crazy i would like to use some of these plugins Id really appreciate it

Sent from my SAMSUNG-SM-N900A using Tapatalk

Logged
 

elective-stereophonic
elective-stereophonic
assembly
assembly