Obsidian, a powerful note-taking tool, is vulnerable by default. Whether it be plugins, community themes, or erroneously pasted content, Obsidian does nothing to protect its users.
The developers could've done better, but security is troublesome, so I don't blame them. Obsidian runs on Electron, a notoriously insecure platform. Even Electron applications such as Microsoft's VS Code have numerous security issues.
To mitigate these vulnerabilities, we have a variety of options. The following proposes some simple solutions to the primary threats.
First, we must determine what we're fighting to protect. For most, I expect a combination of these ideas: personal privacy and data loss prevention.
To me, losing access to my journal would be devastating. Before privacy, I want my data protected.
So, who are our threat actors? Why would we be targeted?
Privacy is most likely to be targeted. Some third-party content will invariably contain greyware or spyware. Luckily these types of content are usually spotted by the community. It's merely a matter if you'll use it despite knowing.
Unless you know yourself to be a valuable target, ransomware is likely your worst-case scenario. Such an attacker may encrypt your data forever or to even post it online. After payment, the attacker has no good reason to return the favor.
However, please use your judgment to create your threat model. Ask yourself what you're trying to protect and why someone else wants it.
Is third-party content worth the risk?
For most of us, absolutely. I'm not a celebrity, journalist, or whistle-blower. Remember, you're using third-party software. If you're so concerned, downloading Obsidian was its own risk.
However, of course, we want to mitigate the risk. Don't install third-party content from obscure sources. As far as Obsidian goes, if it's not within the Community Tabs, I don't suggest installing it. The Obsidian team does some code review before adding a plugin.
Furthermore, many plugins use another party's content. A fourth party or what have you. Take, for example, the Kindle Highlights plugin; it will leak your data to Amazon. This is nothing against the plugin. After all, for it to work, you had to access your Amazon account. Even if accidental, It becomes more of an issue when this fourth party has more control.
Use your judgement. Third-party content is always a question of trust!
Audits Are Hard
I would love to see proper security audits for plugins, but it's either too expensive or restrictive. My best suggestion would be to establish a standard for plugins to follow. Combined with some automated tooling and a bit of review could lead to a real improvement in security.
Honestly, I don't think that would work. If anything, we should pull efforts to scrutinize the top plugins. If one of the authors gets "hacked", the results could be devastating when we all collectively update into malware.
As for actual mitigation, I highly suggest code signing. Doing so would increase the effort required to submit a malicious update, and I don't see this as a requirement for the Community Plugins Tab.
Copy/Paste and Dangerous Settings.
A few plugins like DataView and Templater have explicitly insecure settings. Please be very careful when inputting data into your vault with these plugins enabled! Fully understand what you're copying does before you put it into your vault.
Additionally, HTML itself can be dangerous as well. HTML is—generally—not escaped within Obsidian. And although I won't call iFrames insecure, they are a weak point. Remember, an iFrame is the same as running third-party code because it is running third-party code. It's just a matter of how it's running.
What does a backup do? What's the point? It's to avoid a single point of failure; or, rather a shared point of failure.
Here are some points of failure and their solution:
I Accidentally deleted my file, so make a copy in another folder.
My hard drive failed, so make a copy on another.
My house burnt down with my computer and my hard drive! Make an offsite backup.
Ransomware encrypted all my data and removed my Google Drive access! Make an offline & offsite backup.
"Why can't I just have an offsite & offline backup?"
If you did, you'd create a few points of issue. Mainly with one backup, you're vulnerable when you update that backup. Never (physically or digitally) have all your backups in one place! Plus, it's just annoying to update an offsite & offline backup.
Whether it be an accident, ransomware, hard drive failure, or a government seizure, remember to minimize these shared points of failure.
For the general Obsidian user, I'd suggest storing your files in four locations:
- Your device;
- Your sync provider (Obsidian Sync, Google Drive, etc.);
- An onsite external drive;
- An offsite external drive;
For frequency, I'd suggest weekly for the onsite and monthly for your offsite. Additionally, you may want to consider a location for a yearly backup.
Test your backups!
If you don't test your backups, you may as well not be doing anything! Occasionally, pretend to lose all your data and utilize your backups. Make sure everything works as you expect it would! And yes, you should test all of your backups.
For those who like to keep their data out of others' hands, I highly suggest using something like VeraCrypt. It will allow you to create an encrypted volume, or my preference, an encrypted folder volume. Additionally, because you only have "one" file, this method makes backing up an easy operation.
Everyone should consider the above. It's of most relevance and saves more time than it takes. I can't say the same for the more advanced stuff. If you are still interested, check out my post next Sunday, I'll be showing you how to set up a sandbox and firewall for your vaults. Surprisingly, Android makes it the easiest.
If you're compliant with things like HIPPA, confidentiality is of priority, so I highly advise against using unvetted third-party content. If you still choose to use Obsidian, your vaults should remain offline! ↩︎
Greyware, software that contains virtuous and malicious elements ↩︎
Software that spies on you. ↩︎
This information is likely limited to simple metadata: date of access, IP address, and user agent (Obsidian). It should be of little concern to most. ↩︎