elective-stereophonic
elective-stereophonic
How can we trust a plugin..? singapore
Please login or register.

Login with username, password and session length
Advanced search  

News:

Latest Stable Nxt Client: Nxt 1.12.2

Author Topic: How can we trust a plugin..?  (Read 6559 times)

farl4bit

  • Hero Member
  • *****
  • Karma: +210/-45
  • Offline Offline
  • Posts: 3466
    • View Profile
    • Crypto Advies
How can we trust a plugin..?
« on: August 10, 2015, 09:16:17 am »

I love the feature of use plugins in the Nxt client. I would like to try them all, but the security warning scares me. I have big concerns about the safety of my NXT and my account.



I have been using Nxtplugins.com and it's a great project, but can they really guarantee the safety that my passphrase will not be compromised? People will not use plugins in Nxt when they can't fully trust the plugins.

Is there a possibility to sandbox the plugins? Or a setting can be added to the client, which can be turned off in the client, so plugins will not see passphrases?

We need safety to make this a success.
Logged

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +440/-42
  • Offline Offline
  • Posts: 1796
    • View Profile
Re: How can we trust a plugin..?
« Reply #1 on: August 10, 2015, 11:12:14 am »

Since both the client wallet and plugins rely on JavaScript/Html we cannot isolate the plugin code from the client wallet itself.
The issue has been discussed in the plugin development thread https://nxtforum.org/nxt-plugins/(client-plugins)-specification-developers-guide/ and several safety measures were suggested.

For 1.6 we are working on a feature which would allow you to sign your transactions on an offline workstation even without downloading the blockchain, so that you never have to expose your passphrase to an online workstations where you can safely use plugins.

Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

farl4bit

  • Hero Member
  • *****
  • Karma: +210/-45
  • Offline Offline
  • Posts: 3466
    • View Profile
    • Crypto Advies
Re: How can we trust a plugin..?
« Reply #2 on: August 10, 2015, 12:02:18 pm »

Since both the client wallet and plugins rely on JavaScript/Html we cannot isolate the plugin code from the client wallet itself.
The issue has been discussed in the plugin development thread https://nxtforum.org/nxt-plugins/(client-plugins)-specification-developers-guide/ and several safety measures were suggested.

For 1.6 we are working on a feature which would allow you to sign your transactions on an offline workstation even without downloading the blockchain, so that you never have to expose your passphrase to an online workstations where you can safely use plugins.

Thanks for the info. Nice to see some developments in this area!  :)

I also opened this topic so this discussion can take place here.
Logged

xchrix

  • Guest
Re: How can we trust a plugin..?
« Reply #3 on: August 10, 2015, 12:23:42 pm »

trusting plugins is really an issue for me too! unfortunately i think there is no way for trustless plugins.
Logged

dude

  • Full Member
  • ***
  • Karma: +44/-5
  • Offline Offline
  • Posts: 207
    • View Profile
Re: How can we trust a plugin..?
« Reply #4 on: August 10, 2015, 12:44:37 pm »

What about making a plugin open its separate new window, it shouldn't be able to access any info in the main client and could just communicate through the API?
Logged

farl4bit

  • Hero Member
  • *****
  • Karma: +210/-45
  • Offline Offline
  • Posts: 3466
    • View Profile
    • Crypto Advies
Re: How can we trust a plugin..?
« Reply #5 on: August 10, 2015, 01:29:04 pm »

Our 'unsafe' plugin system is even mentioned in the new Cybernetyc Economy Report.  :(



Source: http://cyberep.cyber.fund/#/37
Logged

xchrix

  • Guest
Re: How can we trust a plugin..?
« Reply #6 on: August 10, 2015, 02:13:04 pm »

then you only could use plugins which are doing nothing with your NXT account. but you want plugins doing something with your account. maybe sending dividends or creating other automatic transactions because you bought something or did an action which requires a small fee. thats one big improvement about using plugins. to achieve this the plugin needs to know your passphrase and that is why its unsafe. if the external plugin code knows your passphrase it could do anything with your account.

there needs to be a way that the plugin doesnt know your passphrase. everytime a plugin wants to make an action which requires a passphrase the core system has to ask about it and has to know the passphrase. but because everything is javascript there is now way to seperate this safely!

What about making a plugin open its separate new window, it shouldn't be able to access any info in the main client and could just communicate through the API?
Logged

Riker

  • Core Dev
  • Hero Member
  • *****
  • Karma: +440/-42
  • Offline Offline
  • Posts: 1796
    • View Profile
Re: How can we trust a plugin..?
« Reply #7 on: August 10, 2015, 03:41:53 pm »

Let's take a step back, why do you trust entering your passphrase into the standard wallet ?
I estimate that less than 10% of the users downloading the installation zip actually bother to validate jean-luc's public key or even the sha256 signature of the zip.
And even if you do, there is always a small chance that someone hacked into jean-luc's machine and issued a properly signed but malicious installation.
And regarding plugins, even if the plugin is not actively asking for your passphrase, it can still steal your password, for example by adding listeners on modals like "Send Money" and waiting for you to enter your passphrase there, I can think of other attack vectors.

The answer to this is that you should never enter a passphrase of an account which holds significant amount of NXT on an online computer. However, signing transactions offline is currently not implemented in the client wallet. We are planing to introduce it in V1.6
Once this is operational, you'll never have to enter your passphrase on a workstation connected to the internet and you'll be able to use plugins without worrying about your passphrase being stolen unless the plugin itself asks you to enter your passphrase and then steals it.



Logged
NXT Core Dev
Account: NXT-HBFW-X8TE-WXPW-DZFAG
Public Key: D8311651 Key fingerprint: 0560 443B 035C EE08 0EC0  D2DD 275E 94A7 D831 1651

dude

  • Full Member
  • ***
  • Karma: +44/-5
  • Offline Offline
  • Posts: 207
    • View Profile
Re: How can we trust a plugin..?
« Reply #8 on: August 10, 2015, 04:41:37 pm »

then you only could use plugins which are doing nothing with your NXT account. but you want plugins doing something with your account. maybe sending dividends or creating other automatic transactions because you bought something or did an action which requires a small fee. thats one big improvement about using plugins. to achieve this the plugin needs to know your passphrase and that is why its unsafe. if the external plugin code knows your passphrase it could do anything with your account.

there needs to be a way that the plugin doesnt know your passphrase. everytime a plugin wants to make an action which requires a passphrase the core system has to ask about it and has to know the passphrase. but because everything is javascript there is now way to seperate this safely!

What about making a plugin open its separate new window, it shouldn't be able to access any info in the main client and could just communicate through the API?

Well, the only solution to this is not giving the plugin access to your password. Let me give you an example:

Plugin in separate window creates transaction bytes to by signed and then could:
a) show them to the user, so he can copy and sign them in the main client
b) send a request to sign transaction through the API, the user then signs the transaction in the main client window (simpler for the user)

The client should also show you, what the transaction you are signing is going to do.

There are also a lot of plugins that don't need access to your account and this would make using them safer.

Let's take a step back, why do you trust entering your passphrase into the standard wallet ?
I estimate that less than 10% of the users downloading the installation zip actually bother to validate jean-luc's public key or even the sha256 signature of the zip.
And even if you do, there is always a small chance that someone hacked into jean-luc's machine and issued a properly signed but malicious installation.
And regarding plugins, even if the plugin is not actively asking for your passphrase, it can still steal your password, for example by adding listeners on modals like "Send Money" and waiting for you to enter your passphrase there, I can think of other attack vectors.

The answer to this is that you should never enter a passphrase of an account which holds significant amount of NXT on an online computer. However, signing transactions offline is currently not implemented in the client wallet. We are planing to introduce it in V1.6
Once this is operational, you'll never have to enter your passphrase on a workstation connected to the internet and you'll be able to use plugins without worrying about your passphrase being stolen unless the plugin itself asks you to enter your passphrase and then steals it.

Yes, there will be always issues with trust, but software directly provided by the core developers and third party plugin are differrent kind of things.
I like the ability to use plugins in the client, but the way it's done now is really not ideal.

Offline signing sounds great, GJ on that.
Logged

farl4bit

  • Hero Member
  • *****
  • Karma: +210/-45
  • Offline Offline
  • Posts: 3466
    • View Profile
    • Crypto Advies
Re: How can we trust a plugin..?
« Reply #9 on: August 10, 2015, 05:56:54 pm »

Let's take a step back, why do you trust entering your passphrase into the standard wallet ?
Because there is no security warning...  ;D

I estimate that less than 10% of the users downloading the installation zip actually bother to validate jean-luc's public key or even the sha256 signature of the zip.
And even if you do, there is always a small chance that someone hacked into jean-luc's machine and issued a properly signed but malicious installation.
And regarding plugins, even if the plugin is not actively asking for your passphrase, it can still steal your password, for example by adding listeners on modals like "Send Money" and waiting for you to enter your passphrase there, I can think of other attack vectors.

The answer to this is that you should never enter a passphrase of an account which holds significant amount of NXT on an online computer. However, signing transactions offline is currently not implemented in the client wallet. We are planing to introduce it in V1.6
Once this is operational, you'll never have to enter your passphrase on a workstation connected to the internet and you'll be able to use plugins without worrying about your passphrase being stolen unless the plugin itself asks you to enter your passphrase and then steals it.

Would be great if they find a solution. It's great Nxt has a lot of cool features, but if nobody is using them it's more like quantity over quality. That's not good. I'm no developer, I can't help. Just giving structural feedback.
Logged

Jean-Luc

  • Core Dev
  • Hero Member
  • *****
  • Karma: +816/-81
  • Offline Offline
  • Posts: 1610
    • View Profile
Re: How can we trust a plugin..?
« Reply #10 on: August 10, 2015, 06:35:25 pm »

Note that, as described in this thread: https://nxtforum.org/nxt-plugins/%28client-plugins%29-disableenable-plugins-per-account/ if a plugin is disabled for an account, it cannot compromise this account even if malicious. Since now the default login is read only, you can also keep plugins enabled most of the time, and only disable them when you need to submit a transaction. Disabling the plugins does require a logout first to take effect though.

A plugin could modify data in local storage such as contacts, and this modification will persist after disabling the plugin, this is one possible attack vector.

When using offline transaction signing on a separate machine, malicious plugins or any other malware present on the online machine could in theory generate transaction bytes/json different from what you intended. Therefore, when signing, on the offline machine (which is presumably malware free), one should additionally verify that the transaction being signed is what was expected.
Logged
GPG key fingerprint: 263A 9EB0 29CF C77A 3D06  FD13 811D 6940 E1E4 240C
NXT-X4LF-9A4G-WN9Z-2R322
 

elective-stereophonic
elective-stereophonic
assembly
assembly