This occurred to me when working on a web project that contained login and password details (in plain text) in a JS file. It made me wonder if files opened/saved with ST3 can be viewed/saved/uploaded in some way by a 3rd party plugin or server related to ST. Is this possible? I would like to think that ST can be used on highly sensitive projects and that there is no way the app or a 3rd party plugin can access and transmit data from files, whether from a search or editing a current file.

Any light on this would be much appreciated.

I’m not sure I fully understand your question, because by definition as software that you use to open and edit your text, Sublime must have access to the text in question, just as for example Photoshop has access to the pixel data in any images you might be editing.

Is it possible that Sublime might ship the contents of your file off of your computer in some fashion? Sure.

Is it possible that some package you have installed for Sublime might do the same? Sure.

Plugins in Sublime (third party ones or the ones that ship with Sublime itself, which make up a lot of the default editor behaviour) by definition have access not only to the text in the buffer (otherwise they could not in any way edit it) as well as the Python runtime that they’re scripted in.

That said, the bigger worry is probably that some third party package that you’ve installed is doing something nefarious behind your back. Sublime checks for updates and validates your license but doesn’t otherwise talk out as far as I’m aware. Presumably the only reason for Sublime to steal your data is because they’re tired of being a viable company whose software is trusted by anyone.

That was my concern.

I’m aware that the contents of the files must be read locally by the plugins for the IDE to function. My query was whether it’s possible for file contents to be broadcasted out in some nefarious way.

I would think Sublime wouldn’t allow this to happen by design. But I’m wondering if anyone can confirm the extent of how secure ST is and whether someone unscrupulous has ever succeeded in stealing data from files; for example, via a plugin.

Sublime isn’t run in a sandbox. Sublime packages can run arbitrary Python code; like most software, they can access anything the current user can.

In an ideal world, it would be nice if Sublime had a robust sandbox with granular permissions, but the amount of time and effort that would be needed to implement and maintain such a system render it impractical.

Sandboxes

In an ideal world, it would be nice if Sublime had a robust sandbox with granular permissions

What do you want? Excellent extendability or another notepad.exe? Sorry for the hard words, but what do you expect from a sandbox? It just disables functionality which was added by a scripting engine a step earlier. It is a desperate try to repair a broken and poorly designed scripting engine!

If you really want to achieve a maximum of security, you need only 3 steps:

1. Choose your software well (here ST and the packages you use)
2. Place all of them into a folder which only a trusted person has write access to (portable setup)
3. Run the app with minimal rights (ordinary user)?

Means: Create a trusted fixed setup and use it in a trustworthy environment instead of try to repair the broken environment with your software.

Sublime Text

With that said: Sublime Text may even be one of the most trustworthy pieces of software these days!

All bigger companies only want our best - not our money - our data! We are just sources of information they can mine to get more and more power!

But the guys behind Sublime Text don’t only talk about but really care about your privacy!

The only network connection Sublime Text establishes is to the license server to validate it or revoke licenses after refund!

If you use Package Control, it will send back information about installed/removed packages and their version. As it is open source, you can check the information sent. They don’t contain any personal information nor any content of your work. (If you don’t want it, you can disable sending stats in the settings.)

All packages in Package Control are revised before accepted/published to not do any harmful things and can be dropped at any time if they start doing so. There was a very popular case about SideBarEnhancements recently, which was compromised by a kite API to send usage statistics.

Plugins

It made me wonder if files opened/saved with ST3 can be viewed/saved/uploaded in some way by a 3rd party plugin or server related to ST. Is this possible?

Technically a 3rd party plugin could do anything with your text. It is the most basic meaning of the plugin-API to give plugins the ability to interact with your text in any way. Without it, most packages/plugins and the API were just useless!

Packages like GitGutter or SublimeLinter need to store a temporary copy of your content in the %temp% directory as the backend tools (git.exe, linters) need it as input.

But most packages/plugins are simple helpers, which don’t save any data somewhere.

Most packages are open source and can therefore be checked. Just look for imports like urllib, socks, http or things like that and check what they do if found.

Packages named like GoogleTranslate may need to sent the selected text to google to be translated, but this is pretty obvious. You don’t need to use such plugins.

The SFTP plugin can be used to securely sync your local files with a secure ftp server. It uses psftp.exe as backend.

Plugins-Runtime

Any *.py file placed somewhere in the Data/Packages folder providing the required API classes, will be loaded and executed as plugin at any time. Means if a user downloads and places a plugin in one of the tracked folders, it will be loaded. If such a plugin does harmful things, you loose. But changing that in some way would break any plugin upgrade handled by Package Control and would most likely need user interaction or a specified attack against your ST setup to let someone place extra plugins during runtime. I guess there are global techniques to harden your setup against such attacks.

Package Control

Package Control uses https to communicate with the internet and validates the hostname against the certificate to avoid man in the middle attacks.

I didn’t find any package in the official repositories right now, which compromises privacy. If so we could report it at any time!

To increase security, you

1. don’t need to use Package Control
2. use it with your own private repository.

The 2nd and maybe better way is what many companies seem to do. They manage their own package repository to provide their employees only trusted and revised packages.

Conclusion

• Sublime Text itself is designed to provide as much privacy as possible.
• It does not send any harmful information about you and your projects home.
• It’s plugin-API is as secure as the ones of any other scripting engine driven plugin-API of other editors/tools. (Don’t thing huge JavaScript engines, of some big Silicon Valley IT companies are more rustworthy and secure!).
• The overall security depends on your infrastructure. ST is not designed to try to fix a malicious environment.

@europa21, you should do this if you are worried about privacy:

The best way to create this environment is never to install packages directly by Package Control, but directly from your account. What does that mean? Mean you need to:

1. Fork to your account all the packages you want to install into your Sublime Text, then you need to review all their code to see if they are stealing your data or weakening your security.
2. And when the packages has an update, you need to review the code changes, before merging them back into your fork and rebasing the changes into your Sublime Text installation.

One of the best ways to do this is by GitHub. Because most packages are available on GitHub and there is the backstroke.us service you can register on your fork. This will automatically create a pull request from your fork upstream into your fork (downstream), when some update is pushed into the original package repository.

I have created about 140 forks of all the Sublime Text packages into my GitHub account, and had registered for all them a hook/link with the backstroke.us service. Then every time someone launches an update on some of these 140 forks, I receive an email from the GitHub announcing a new pull request created into my fork of these packages.

To help organize it, I create some email label rules group together these emails. I receive 2 types of emails:

1. The first is when the pull request was created, I only receive one email of this until I merge the pull request. Then I label this special email as BackstrokePending. When I finally merge the pull request, I just remove the label BackstrokePending, marking this repository is already reviewed and merged.
   

   

   image.png691×51 3.27 KB

2. The second is when a new commit is pushed into the original repository. This is not important, then I just label it as Backstroke. This label is also set to the first type BackstrokePending, so I can keep everything related to it, together on the label Backstroke.
   

Initially I did not did like this, drastically forking everything. I would just install them by Package Control as usually and created packages overrides to the files I would like to change. For example, one of the most things which bothered most was the Context.sublime-menu's created by the packages. I do not know why, but seems like everybody want to put stuff into your context menu. Then almost always I installed a package, I had to create these overrides for the menus entries, removing them from my Sublime Text. However, it got more bothersome when I also started need overriding other stuff like abusive .sublime-keymap, Tab Context.sublime-menu etc.

I finally abandoned doing these overrides when I stared needing to fix packages or write stuff I was missing on them, or completely rewriting them because they were too bugged. Then, I started forking everything for once, and creating backstroke links with the upstream. Originally, to install all these packages on my Sublime Text, I had to go to the command line and run an git close --recursive on the main repository where I had registered all the forks (a.k.a. git submodules). But it had some downsides, as it was not always I could install everything by git because doing so, takes about 500MB of space on the file system and creates about 13.000 files on the Packages folder.

To overcome this, I created a installer which install automatically all the packages directly from my forks with Package Control as usual .sublime-packages. Doing it this way had advantages as taking much less files system space. It is just about 50MB and create about 1000 files. Therefore, installing everything is much faster. Takes about 2 minutes, against 20 minutes by git clone --recursive, which also misses out some packages due bugs on the git client, which seems not to behave well when there are about 170 submodules in only one repository.

Since this seems to be unclear: Sublime Text plugins can execute arbitrary python code, hence they can read and upload all files they/you have the permission to read. So you can’t stop a plugin to read and upload your file by not opening it with ST.

To add to what @r-stein said: vanilla Sublime Text will never send the contents or filenames of any of your files to any server hosted by us or a third-party. If you are concerned about security and such issues, I recommend not installing Package Control or any third-party packages. That way you will only ever run the Python code we ship with Sublime Text.