Secure file conversion for secure view (File Sterilizer idea and design)

[fpietrosanti]

This ticket is about the brain dump of the "File sterilizer" by Anatole

The feature of file sterilizer would provide to the receiver a "converted and secure" version of the documents (pdf or jpeg) that has been uploaded by the Whistleblower as a mean to provide a "secure viewer into the web browser" .

The receiver will see the "sterilized" version from the Tip page and can see it.

When the receiver is going to download the "non sterilized", original file he will be given an additional warning, to pay attention while opening it.

The File sterilizer must use very big libraries from office suites, such as libreoffice, to make it's own backend file format conversion activity. For that reason it must run as an independent external service that globaleaks can integrate with.

The implementation idea is that GlobaLeaks will be able to call, trough a POST request to the FileSterilizer server and will get back the file converted and "sterilized" from any possible malware or metadata.

The File Sterilizer server should be implemented as an independent software with it's own debian package, based on the following unoconv software: https://github.com/dagwieers/unoconv

GlobaLeaks will provide to the Admin the ability to "enable" the file sterilizer's feature, and insert the URL where the File Sterilizer is running.

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[evilaliv3]

This ticket seems to be whishlist desire of some adopter taht probably would benefit of this more than the end to end encryption; a lot of adopters infact would like to remove the TAILS requirement for sterilizing documents and would prefer this action to be performed automatically by the user.

How could we manage with such a requirement?

@fpietrosanti: i found interesting some of the discussions taken with sybrian of publeaks concerning the possibility to use tails inside a virtual machine. maybe this lest rigorous way of using tails would in the future accomodate a set of tools for the aim of this ticket?

\cc @vecna

[vecna]

Every file has to be converted with an appropriate combination of tool, and these tools has to be executed in a virtualized container. the output of such execution can be:

• provide a preview of the files (like, pdf files in .png/.tiff) from the receiver interface
• provide a file version that is neutralized of potential client side exploit for download

[evilaliv3]

Ok @vecna, i agree that a sterilizer should do that but how could we implement it together with the end2end encryption capabilty? This is the main issue of the ticket

[fpietrosanti]

@evilaliv3 When we need any server-side processing of data, there are only two options: a) Send data in clear text to the server b) Send data encrypted to the server with a server-processing public-key, that have it's own private key to decrypt it, with a procedure to unlock it at startup time by the administrator

In both situation the full data storage encryption along with on-the-fly decryption to happen in the browser will be kept preserved (e.g. A seized server, will not disclose that encrypted data, but server remain a trusted component anyway)

[deeplow]

The feature of file sterilizer would provide to the receiver a "converted and secure" version of the documents (pdf or jpeg) that has been uploaded by the Whistleblower as a mean to provide a "secure viewer into the web browser" .

I think Dangerzone may fit perfectly into this (I'm one of the developers). It was recently adopted by FPF and it is in active development.

I'm not very familiar with the GlobaLeaks architecture, but assuming that the server is a trusted component and has access to the plaintext of the documents, then I think this would be doable.

And it would also address https://github.com/globaleaks/GlobaLeaks/issues/2490, since metadata is removed by the fact that Dangerzone essentially "takes a screenshot" of the document.

[vecna]

want to signal the dangerzone tool has been completed/audited https://www.opentech.fund/security-safety-audits/dangerzone-security-audit/

[deeplow]

Yup. With quite insignificant findings. Also, on Dangerzone land, there have also been advances on the conversations for traceless sanitization (i.e. without writing to disk). Still early days, but progress nonetheless. My understanding from a conversation with @evilaliv3 is this would be a requirement for integration into GlobaLeaks.