VSCode 扩展的安全性和隐私性 [英] Security and Privacy of VSCode extensions

问题描述

我看到 VSCode 有很多不错的扩展.但是，我担心这些扩展是否将我的代码发送到他们的任何服务器.有什么办法可以查到吗?我可以使用 fiddler 并隔离插件中可能发生的调用 - 但不想为我安装的每个扩展都这样做.VScode 团队是否对此提供了一些指导?

I see that VSCode has a lot of nice extensions. I am however concerned if those extensions are sending my code to any of their servers. Is there any way to find out? I could use fiddler and isolate calls that might be happening from the plugin - but don't want to be doing that for each and every extension that I install. Is there some guidance from VScode team on this?

推荐答案

如果您对安装的应用程序/插件发送什么样的数据(如果有的话)以及发送到哪里感到偏执，您首先必须检查插件源一行一行的代码，然后是设置一种中间人代理服务器，它记录每个网络事务.有一个恰如其分地称为 mitmproxy 的工具，例如用于 iOS 网络取证或您无法轻易查看的所有封闭设备:https://mitmproxy.org

If you are paranoid about what kind of data (if at all) your installed applications/plugins send and where to, you will first have to inspect the plugin source code line-by-line, followed by the setup of a kind of man-in-the-middle proxy server that's logging every network transaction. There is a tool fittingly called mitmproxy that is for example used in iOS network forensics or really all closed devices you cannot readily peek into: https://mitmproxy.org

这是一项费力的工作，因为您必须筛选大量的连接数据.好处是，即使通过 SSL 加密的通信，您最终也会确切地知道将什么样的数据发送到哪里.mitmproxy 也可以将自己置于这些连接之间——经过一些初始设置.

This is laborious work as you will have to sift through tons of connection data. The upside is that in the end you will know exactly what kind of data is sent where, even through SSL-encrypted communication. mitmproxy can place itself between those connections as well — after some initial setup.

除此之外，您只能设置个人防火墙或(取决于您的操作系统)设置完整的防火墙集，阻止除手动批准之外的所有连接.

Other than that you can only set up a personal firewall or (depending on your OS) set up a full firewall set, blocking all but manually approved connections.

最后，这完全取决于您的威胁级别，正如安全行业所称的那样.如果您有极高的操作安全要求，则根本不应该从处理敏感信息的机器连接到互联网，而是使用气隙机器，将数据从一个物理传输到另一个，设置多个额外的保护措施，例如入侵检测、启发式扫描和物理访问限制.

In the end, it all depends on what your threat level is, as it is called in the security industry. If you have exceptionally high operational security requirements, you shouldn't be connecting to the internet at all from the machine you are handling sensitive information with, using an air-gapped machine instead, physically transferring data from one to the other, setting up several additional safeguards such as intrusion detection, heuristic scanning and physical access limitations.

然而，这种安全开销通常是过大的.如果您安装了高评价和流行的插件，那么您可能会很高兴，因为大数定律规定，参与的人越多，恶意行为的可能性就越容易被检测到.

However, this kind of security overhead is usually overkill. If you install highly-rated and popular plugins, you are probably good to go as the laws of big numbers dictate that the probability of nefarious behavior will get detected vastly more easily the more people are participating.

安全是一项高度复杂且动态的任务，您要么必须自己完成，要么花钱请人为您完成.此外，这是一个数字游戏，或威慑之一.没有任何东西是 100% 安全的.如果有足够的时间和资源，任何事情都可能受到损害.游戏是使妥协目标比成功这样做的可能收益更难.一个没有直接作为安全解决方案开发的开源项目(即使是像微软这样的巨头)也不能指望免费为你做这个安全审查.

Security is a highly complex and dynamic task that you will either have to do yourself or pay someone to do it for you. Also, it's a numbers game, or one of deterrents. There is no 100% secure anything. Given enough time and resources, anything can be compromised. The game is to make it harder to compromise a target than the possible gain of successfully doing so would be. An open source project that's not squarely developed as a security solution (even from a giant like Microsoft) cannot be expected to do this security review for you for free.

更新: 随着 VSCode 变得非常流行，出现了恶意插件的问题.这与任何插件架构(如 WWW 浏览器)或公共包管理器(如 npm)都存在相同的问题.如果没有正式的、自动的和手动的安全审查(例如 Apple 的 App Store——尽管他们拥有大量人力，但他们时不时会漏掉)，从信息安全的角度来看，所有这些系统都有潜在的毒性.也有可能流行的扩展程序被出售和/或更改所有者，然后注入错误代码.对于浏览器插件和 npm 包，这种情况已发生多次.扩展是一个相当大的攻击媒介，尤其是对企业而言.与普通用户相比，开发人员通常可以更广泛地访问网络基础设施和服务，并在他们的机器上运行具有更高权限的软件.

Update: As VSCode becomes very popular, the issue of evil plugins arises. This is the same issue as with any plugin architecture (like WWW browsers) or public package managers (like npm). When there are no formal, automated and manual security reviews (like Apple's App Store — and despite their massive manpower they slip up from time to time) , from an information security standpoint, all those systems are potentially toxic. It is also possible that a popular extension gets sold and/or changes owner, followed by an injection of bad code. This has happened multiple times for browser plugins and npm packages. Extensions are a considerable attack vector, especially for the enterprise. Developers often have far wider access to the network infrastructure and services than a regular user does and run software with higher privileges on their machines.

总结:

我可以使用 fiddler 并隔离插件中可能发生的调用 - 但不想为我安装的每个扩展都这样做.

I could use fiddler and isolate calls that might be happening from the plugin - but don't want to be doing that for each and every extension that I install.

恐怕这正是您目前必须要做的.

I'm afraid that's exactly what you would have to do for the time being.

这篇关于VSCode 扩展的安全性和隐私性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！