On the security of plugins

&gt; I take occupational offense to misuse of the term private because we’ve spent the last half decade building Standard Notes to be private without any ambiguity to what that term means.<p>&gt; [..]<p>&gt; Using the word “private” as “anything that isn’t on a cloud” is misleading, in my opinion. We know this is not the definition of private we want.<p>I don&#x27;t know, for me that is a very acceptable definition since anything on the cloud is not private. If anything...<p>&gt; When we think private, and when software products typically use the word private, they mean it to say privacy is a primary focus of the application, as enacted and permeated through mission, culture, code and operation.<p>...<i>that</i> definition could be applied to stuff on the cloud too since a cloud app can claim to care about privacy being &quot;its primary focus&quot; and its &quot;culture, code and operation&quot;.<p>Of course something being local doesn&#x27;t mean that it is 100% watertight proven that it is private, but the default state of a computer (at least as far as regular PCs go) is that and it is only after your actions as a user that state can be compromised.<p>As such the advice &quot;don&#x27;t download stuff that run `rm -f` on your hard drive&quot; is a perfectly valid advice.<p>TBH this looks like some product&#x27;s blog claiming why another competing product is inferior and theirs is better.

While I&#x27;m generally in favor of innovation for secure computing, I think this category of &quot;vulnerability&quot; is not that bad. Applications have managed to use natively compiled plugins for decades without much in the way of `rm -rf &#x2F;`ing users machines - and those that do don&#x27;t get installed.<p>Like for example I haven&#x27;t yet seen a post that decries the security vulnerabilities of VST plugins or Unreal engine plugins, but they actually have slightly worse surface areas that are harder to secure than something running on top of a JS engine.<p>At a certain point you have to accept that running code someone else wrote may do bad things. Zero trust doesn&#x27;t have zero cost. Don&#x27;t run random programs you download off the internet without accountability.

Two things I disagree with in this article.<p>1) I think the author is mixing up privacy and security here. At least to me, security is about whether the program has any bugs that allow access to data that the developer didn&#x27;t intend. Developer&#x27;s intent is important here, since a program itself does not have any intention, it always behaves exactly as it should.<p>Privacy on the other hand, is whether the user has control over who has access to their data, <i>assuming</i> that the program is secure. So say, if iOS exfiltrated data to Apple, but was intentionally coded that way, then iOS might still be secure, despite not being private. On the other hand, I consider Linux private, because while you could always install malicious packages, it&#x27;s still your choice to install those packages.<p>2) The article is specifically discussing security against plugins accessing data &#x2F; processes outside the application. But this severely cripples the power of plugins. I recognize that this is subjective, but I prefer it when plugins can extend the application in very powerful ways. I think often plugin developers are more creative than the application developer. Chrome, Firefox, VS Code, all have some amazing plugins.<p>That being said, I do like Standard Notes, and while I only tried the product for a little bit I appreciate rhe overall vision.

This seems like an obvious argument, so it is a shame it has to be spoken out loud: you can&#x27;t provide privacy if your software is not secure.

&gt; Using the word “private” as “anything that isn’t on a cloud” is a low bar, in my opinion.<p>I agree it&#x27;s not a high bar, and I appreciate that some developers have higher security standard than others.<p>But I think &quot;anything that isn&#x27;t on a cloud&quot; is an OK definition for &quot;private&quot;. I can cut internet access from my private computer, it will still be able to run malware. I will blame myself for loading the malware into the computer, I will blame the malware&#x27;s author for their malicious intention, but I will not blame my computer for executing the code.<p>I look at privacy as user&#x27;s ability to control their own data, not necessarily the ability to control a software&#x27;s behavior.

The only way to have secure plugins is sandboxed processes using OS IPC mechanisms, anything less subjects either the host application or $HOME to possible exploits.<p>Unfortunately only mobile OSes are on the forefront of this.

This website is very dark and very low contrast on iOS for me. Not sure if page is using dark mode media queries and accidentally putting dark text on dark background only then, or if it’s equally dark and low contrast for everyone.

&gt; When it comes to privacy and security, it’s deathly important to be as unambiguous as possible.<p>Did ... did they miss the giant, in-your-face warning that happens when you intentionally deactivate safe mode in order to be able to install plugins?