then you only could use plugins which are doing nothing with your NXT account. but you want plugins doing something with your account. maybe sending dividends or creating other automatic transactions because you bought something or did an action which requires a small fee. thats one big improvement about using plugins. to achieve this the plugin needs to know your passphrase and that is why its unsafe. if the external plugin code knows your passphrase it could do anything with your account.
there needs to be a way that the plugin doesnt know your passphrase. everytime a plugin wants to make an action which requires a passphrase the core system has to ask about it and has to know the passphrase. but because everything is javascript there is now way to seperate this safely!
What about making a plugin open its separate new window, it shouldn't be able to access any info in the main client and could just communicate through the API?
Well, the only solution to this is not giving the plugin access to your password. Let me give you an example:
Plugin in separate window creates transaction bytes to by signed and then could:
a) show them to the user, so he can copy and sign them in the main client
b) send a request to sign transaction through the API, the user then signs the transaction in the main client window (simpler for the user)
The client should also show you, what the transaction you are signing is going to do.
There are also a lot of plugins that don't need access to your account and this would make using them safer.
Let's take a step back, why do you trust entering your passphrase into the standard wallet ?
I estimate that less than 10% of the users downloading the installation zip actually bother to validate jean-luc's public key or even the sha256 signature of the zip.
And even if you do, there is always a small chance that someone hacked into jean-luc's machine and issued a properly signed but malicious installation.
And regarding plugins, even if the plugin is not actively asking for your passphrase, it can still steal your password, for example by adding listeners on modals like "Send Money" and waiting for you to enter your passphrase there, I can think of other attack vectors.
The answer to this is that you should never enter a passphrase of an account which holds significant amount of NXT on an online computer. However, signing transactions offline is currently not implemented in the client wallet. We are planing to introduce it in V1.6
Once this is operational, you'll never have to enter your passphrase on a workstation connected to the internet and you'll be able to use plugins without worrying about your passphrase being stolen unless the plugin itself asks you to enter your passphrase and then steals it.
Yes, there will be always issues with trust, but software directly provided by the core developers and third party plugin are differrent kind of things.
I like the ability to use plugins in the client, but the way it's done now is really not ideal.
Offline signing sounds great, GJ on that.
