You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Revenge has first-party support for plugins. Plugins can execute arbitrary code. A malicious actor can embed malware into the plugin.
Solution
Add a signature system to verify plugins. The author's signature must, and ours should accompany each plugin.
The author's signature is so the user can ensure the plugin was signed off by someone they trust. Our signature is needed so the user can verify that we trust the plugin and that it is secure.
How it works
The system checks the signatures and executes the plugin under the following conditions:
Both signatures are valid
Only the author's signature is present, and the user trusts the author
If no signature is present or any of the two is invalid, the likelihood of tampering with the plugin is high, and the plugin should not be executed. If the author's signature is present but is not trusted yet, the user must first agree to trust the author without our assurance. If our signature is present but the author's signature is missing or invalid, we made a mistake as we trusted a plugin that the author has not signed off on.
By default, the environment should configure the keys and revenge trusts. Our environment configures our keys. Another environment, such as a fork or a local environment, would configure its keys.
The text was updated successfully, but these errors were encountered:
Why
Revenge has first-party support for plugins. Plugins can execute arbitrary code. A malicious actor can embed malware into the plugin.
Solution
Add a signature system to verify plugins. The author's signature must, and ours should accompany each plugin.
The author's signature is so the user can ensure the plugin was signed off by someone they trust. Our signature is needed so the user can verify that we trust the plugin and that it is secure.
How it works
The system checks the signatures and executes the plugin under the following conditions:
If no signature is present or any of the two is invalid, the likelihood of tampering with the plugin is high, and the plugin should not be executed. If the author's signature is present but is not trusted yet, the user must first agree to trust the author without our assurance. If our signature is present but the author's signature is missing or invalid, we made a mistake as we trusted a plugin that the author has not signed off on.
By default, the environment should configure the keys and revenge trusts. Our environment configures our keys. Another environment, such as a fork or a local environment, would configure its keys.
The text was updated successfully, but these errors were encountered: