Dangerzone (PDF Sandboxing)

jerm · December 22, 2023, 3:02pm

Dangerzone

Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs.

Would it be more convenient to use Dangerzone than using pdf.js with a sandboxed browser (such as Chromium (Brave doesn’t use it) or Firefox) in a virtual machine without network access? Because this method is an overkill for the average user.

widget · December 22, 2023, 3:22pm

Even I wanted to know if opening pdf in Firefox is good as it has all the features which I use in SumatraPDF.
This would help me in reducing one more software for just pdf docs.

seize · December 22, 2023, 6:11pm

I have been wanting to try out Dangerzone for a while now. However it seems the fedora package is broken at the moment.

I will definitely have to give dangerzone a shot on my Ubuntu machine though.

Relevant links regarding fedora support, for anyone interested.
Dangerzone mastodon post on the issue
github issue concerning fedora 39 support

HauntSanctuary · December 23, 2023, 2:10am

Assuming the payload isnt in the PDF itself (that VirusTotal would /should find), would temporarily disconnecting from the internet be sufficient or is there something more?

I dont think we should be opening PDFs directly into browsers as well?

Valynor · December 23, 2023, 3:33pm

I think opening a PDF in a (Chromium) browser is still the safest place* because all tabs are sandboxed. You would need an exploit chain to break out of there and considering the speed in which Chromium CVEs get fixed bad actors usually don’t burn these expensive exploits on common people.

*a step up for this is opening the pdf in chromium in a Linux VM with no network access, deleting the VM snapshot afterwards

exaCORE · December 23, 2023, 8:39pm

Does that apply to firefox? (Does firefox have per tab isolation yet?)

seize · December 24, 2023, 3:11am

If I understand correctly Firefox per site isolation is essentially the same as Chromium’s per tab isolation. Therefore Firefox should be suitable for this use.

Relevant links:
Firefox per site isolation
Chromium per site isolation

Average_Joe · December 31, 2023, 8:16pm

I’ve been waiting for this as well!

Is there an update???

seize · December 31, 2023, 8:45pm

Firefox (for desktop) has had per tab isolation since 2020. On android per tab isolation exists, but it is disabled by default. The only way I know of to enable per tab isolation on android is through about:config

Unfortunately about:config is only available on Firefox forks and Firefox nightly. I don’t know if there is a roadmap for enabling Per tab isolation on android, however I have heard that it causes significant battery drain.

sha123 · December 31, 2023, 9:39pm

Doesn’t matter much, because the renderer processes are still not properly sandboxed on Android.

sha123 · December 31, 2023, 9:49pm

Not convinced to use this for potentially malicious documents on Linux, because the container is not a strong sandbox.

Topic		Replies	Views
PDF Editor for macOS Questions software	0	233	July 11, 2023
Is there a FOSS counterpart to MDAG on Linux? Questions software	0	282	September 3, 2023
Secureblue - Immutable Fedora Hardening Tool Suggestions rejected	25	2033	March 13, 2024
What are you thoughts on KOReader? Questions	0	260	April 5, 2023
OpenScan (open source CamScanner alternative) Tool Suggestions	3	393	April 17, 2024

Dangerzone (PDF Sandboxing)

Dangerzone

Related Topics