Possible Attack Vector via OCR Engine

[deeplow]

The OCR engine does increase the attack surface of Dangerzone, this has been a longstanding hypothesis I've had. We just don't know how much. And recently in the Dangerzone security audit, the auditors had an informational finding of this exact potential issue. Though mutual agreement we decided to include it in the report.

We do not have a proof of concept of this attack scenario, but it is something to consider and explore.

[deeplow]

Communicating Risk to the User

Anything extra that we add that visually processes any of the content of the untrusted file is a risk. This includes compressing it and doing OCR. That's an area that we can consider hardening, but in parallel and with less resources we could communicate this risk to the user.

We could potentially consider exposing this threat to the user though the use of a security slider, very much like Tor Browser, where by default, in the "safe" is the most practical (larger risk, less downsides) and then the user can choose a safer setting that disables OCR, for example.

[deeplow]

If OCR being exploitable is a risk, we also have to take into account that there are situations where we can't control this. For example, in macOS the preview app (PDF viewer) does OCR by default.

[Erioldoesdesign]

We could potentially consider exposing this threat to the user though the use of a security slider, very much like Tor Browser, where by default, in the "safe" is the most practical (larger risk, less downsides) and then the user can choose a safer setting that disables OCR, for example.

COuld I kindly get a screenshot of this tor setting so I can look at the UI/user info?

[deeplow]

Of course! I meant to include them (and even took the screenshots) but forgot to add them. Here you go:

[deeplow]

@Erioldoesdesign before I think they had the settings changeable directly in the :shield: icon, but at some point they changed it to a button that took the user to the settings. I wonder what the motivation was.