Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I am very confused by this post:

1. VSCode uses SSH (with its security profile) and the user can't do anything more with VSCode that they can already do with SSH. If the comparison is between a system without SSH and a system with VSCode and SSH--sure--I understand the concern, but it's an issue with enabling SSH and not VSCode.

2. VSCode can change files and persist? Well, it's a local editor, so yeah, it can change files and persist, that's literally its purpose. If that's an issue, disable editing permissions for the user.



The server running at the remote end can execute code on the client. If an SSH server can do that it's a security issue and a bug.

The README does warn about this: "A compromised remote could use the VS Code Remote connection to execute code on your local machine."

https://marketplace.visualstudio.com/items?itemName=ms-vscod...


You are not the one who's confused. The author of the article is.


Normally on connecting to a remote machine you expect to be able to control that machine, you don't expect that machine to gain control over yours.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: