Open anarcat opened 3 years ago
Yes I'd totally be open to this! I'd want to make sure the GUI app and the web service share the same container. And it would probably make sense to put the web service code in a separate repo, like firstlookmedia/dangerzone-web (which I could create).
Yes I'd totally be open to this! I'd want to make sure the GUI app and the web service share the same container. And it would probably make sense to put the web service code in a separate repo, like firstlookmedia/dangerzone-web (which I could create).
i was thinking the container itself could be a web server. then consumers would talk to it over a socket instead of the commandline + shared volume, which "feels" safer to me for various reasons.
in other words, the container is the magic service, the GUI app is just a frontend.
alright, so i ended up doing something like this. it's not really a web service in the traditional sense: it's just a batch script that processes files on a WebDAV server. but with a nextcloud backend, it kind of looks like a web service to users... you share a folder with the dangerzone-bot
user, and drop files into it. then the files magically disappear into a dangerzone
subfolder, and when processed, appear in a safe
folder.
it might not be the best approach, and probably not what you had in mind, but it definitely scratched an itch for us while solving a bunch of issues regarding rate limiting, access control, queuing and storage.
the good stuff lives at https://gitlab.torproject.org/tpo/tpa/dangerzone-webdav-processor/ and has been used in production in one hiring process so far. :)
If there is to be a web frontend for Dangerzone it could borrow mat2-quasar-frontend implementation (mat2 is avaialble on Tails and Whonix) It is basically the same logic: (demo)
Having a web service introduces security concerns. It's basically like having a SecureDrop where people drop sensitive files for conversion. If there's ever an exploit to such webservice (e.g. via some vuln in webserver software) the attacker could potentially access any documents sent to the service.
However, if we don't allow document uploads, but rather simply having a place where people could enter a document URL, we'd ensure we'd get public documents only (or at most publicly linkable documents). This would significantly reduce the risk.
We discussed this a bit per suggestion from @micahflee in our team meeting today. In a nutshell, making it possible for newsrooms to set up a web UI seems appealing as an alternative to the common route of "send a document to a trusted person on the IT/security team who will then have to manually inspect/sanitize it and securely send it back". This would typically be set up in private deployments not accessible to folks not working at said organization.
Some considerations for such a feature (building on the discussion we had today):
Generally, I think a feature like this could be a good opportunity to do some threat modeling for the Dangerzone project as a whole, and comparing different deployment strategies.
after i have dug quite a bit in the Docker container, i figured i would just go even bolder and consider making this a web service altogether.
it would be ideal for many reasons:
would you be open to this? i think it would require refactoring the Docker image quite a bit more, but i think it could still be compatible with the current frontend.
Further Evidence / Notes (added by @deeplow)
A user mentioned that they were not very tech-savy and installing programs can be complicated. They suggested having an online Dangerzone version.