OnlyOffice replacement

Hi, following the topic here, I’m looking for a replacement as I have lost trust in OnlyOffice.

I don’t like the UI of Draw from LibreOffice and I can’t seem to install Okular as it uses the Windows Store, which I disabled.

Any other recommendations?

1 Like

There are no other recommendations. If you want FOSS and for Windows, then LibreOffice and OnlyOffice are only options.

From there, you have to go with proprietary, usually commercial office suites

5 Likes

Ok follow-up question then.

How do I know there are no connections being made while using OnlyOffice? How can I make sure it’s 100% offline?

Check the logs on your router.

Could you explain how? I downloaded the logs, but I’m not sure what to look for.

If Privacy Guides recommend the app, to they make this sort of verification prior to the recommendations? Does OnlyOffice by default not connect to the internet?

You could just use an application firewall, like LittleSnitch for macOS, OpenSnitch for Linux, Portmaster from Safing for Windows.

Honestly thought, if you “have lost trust” only because of the alarmist post you’ve linked then you might want to ask yourself if you’re exaggerating a bit.

Although everything is up to you.

1 Like

You have the source code available for audit, which is the most laborious way.

That aside, the easiest way I can think of monitoring network traffic is:

  1. Run a barebones Linux, such that there are no other network requests being made unless you make them (this simplifies the process capturing packets for analysis, and not getting other noise). There are ways to capture by process process, but it is not as easy to setup nor can I confidently say how to do it well. If you run Windows there might be a tool I’m not aware of (of which you would need to find, Windows sends out plenty of random requests).
  2. After that, turn on a network analysis tool of your choosing (i.e. WireShark, tcpdump, etc)
  3. Open OnlyOffice, and began using it.

Monitor the network and see what happens. You won’t be able to see the body of the requests if its HTTPS, unless you setup your own MITM attack so you can decrypt the body before sending it off. Even if that isn’t done, you will have an idea if its sending anything at all and who its sending to. You can do reverse DNS lookups on outbound IP addresses. Keep in mind some network requests might be as harmless as “Check for Updates” and really are mundane, but its hard to tell unless you setup a way to decrypt the HTTPS body, or just plan audit the source code.

Honestly thought, if you “have lost trust” only because of the alarmist post you’ve linked then you might want to ask yourself if you’re exaggerating a bit.

I also somewhat agree with this. Generally if an open source project slips in nefarious code with intense privacy invasion, there would have already been a massive outcry. Unless you are downloading OpenOffice from some sketchy places, you can probably have high confidence that the program being ran is fine. Not to say you have to trust it, but if the only reason for distrust is because of Russian developers, then I’d caution of prejudice. However, maybe I missed something, and perhaps communicating the exact reason of distrust might be worthwhile to determine if you really need to hop off application.

2 Likes

There aren’t any. Onlyoffice is open source, it is fine, you can even use it offline. Here in Argentina, where i live, it is very popular actually.

1 Like

Please find all the statements from the 2 threads which made me lose trust in the software OnlyOffice is a Russian company with deep ties to their government and military and actively tries to mask its origins. Please stop reccomending this as a "FOSS-alternative"! - r/privacy

2: It’s FOSS, but has anyone actually done a thorough code review to ensure it’s clean? Of all versions and updates? I’d have no issues using the non-cloud version assuming it has a decent code review, but not the cloud service.

Disguised as Latvian. How the OnlyOffice service, popular in Ukraine, hid a Russian trace

Ascensio System SIA, registered in Latvia, has Russian roots and cooperates with the government of the aggressor country. Among its clients are also state bodies of Ukraine.
At first glance, the developer and the product itself are in no way related to Russia. However, as it turned out, Ascensio System SIA not only has Russian roots and close ties with the Russian Federation, but also indirectly supports the war with Ukraine.
However, if you analyze who is behind OnlyOffice and how the company tries to hide its Russian footprint in Europe, the position of the management will become clear.
The branch of “P7-Office” from OnlyOffice seems to have been made with a single goal: to increase sales in Russia in the wake of the intensification of import substitution, which became relevant due to the sanctions introduced against the Russian Federation after 2014.

The ties to Russian gov and military are explained in the statements from the Ukrainians too.

1. Ministry of Information Technologies and Communications of the Nizhny Novgorod Region
2. St. Petersburg Cadet Military Corps (SPbKVK)

…Among the users of P7-Office are government agencies, educational institutions and commercial organizations.

Fake adresses are used for that sort of thing, but not to insinuate that you have an office or headquarters there where all of your employees supposedly work physically. Which is what OnlyOffice did. It’s a lie you can read on their website. That address is not only fake but their “HQ” and “offices” in Latvia are fake too. They never existed in the first place.

Even with all of this, if I can have a proof that there are no internet connection to the product except for updates, then I don’t care.

Does PrivacyGuides make that sort of checks before recommending anything?

@anon33089522 How do I make sure is is offline?

Download it as a Flatpak and disable the network permission using Flatseal or KDE’s permission managers.

7 Likes

@win11.shading291
It’s not weird they “try to hide their origin” (although they don’t as it’s easy to find), cause they aim to be global company with global product. And most of such companies do the same, as there is no reason to put note on the front page “We are company from XYZ”, no one cares.

But let’s also take the opposite stand - LibreOffice development is managed by TDF, located in Germany. Also receives funding from various governments, used by many, and it is still recommended all around the world as FOSS, privacy focused office suite. So should e.g. Russian users be worried and ditch LO as it might be a German spyware? Of course not, cause it really doesn’t matter where it is developed and managed, but how (and maybe why)

And I’m sure if it ever happens they try to do something shady, it would be disaster for them, and they just wouldn’t risk it.

And regarding product itself, I really think they are doing good things and making a proper office suite, and If I would have to bet what will be the best MSO alternative in 5 years, I would put my money on OnlyOffice (and would still use LO as a main suite :smiley: )

2 Likes

You can block the connections with a firewall or use Wireshark to monitor the traffic. If you are using NextDns can provide logs.

Install Wireshark and see for yourself.
@Tech-Trooper just thought of wireshark without reading to the end.

Lets treat this as the requirement and rule out the rest of the discussion.

I can’t speak for them, but I imagine no. This isn’t due to malice or laziness, there is just a recourse constraint on how few members there are, and being able to consistently audit source code and monitor the state of applications would be a serious full time job. They likely have a level of trust based upon the software license (its FOSS, so thats pretty good, as we can separate the company from the application), the community around the software, reports and articles on reliability, and other research. They themselves do not specifically do the audits.

This is why its recommendations, and if your threat model is super sensitive to different things, don’t take their recommendation without understanding it.


To get a better idea of threat models, I’ll ask you, why aren’t you worried about LibreOffice making network requests, only OnlyOffice?


Lastly, there has been discussion on other forums about this Russian matter. Read here for other comments on the discussion. It seems the only reason to not use OnlyOffice is if you really don’t want to support Russia in any capacity given then war, but if you aren’t donating money or purchasing it then… well its really just a principle then :person_shrugging:

I agree with one of the comments of that discussion quite a bit:

To be fair, I would be more comfortable with Russian open source software that I can run locally over proprietary software from the US or Europe that run on someone else’s servers.

2 Likes

If you’re worried about OnlyOffice making network requests, then you’re worried about OnlyOffice being malicious, at which point you shouldn’t use it at all or run it in a VM.

Desktop OSs aren’t capable of safely running untrusted software, except for Qubes OS.

1 Like

I use Windows :grimacing:

I tried explaining it on the 9th post of this thread. If I had to summarize:

  1. It seems no one audited the code, even if it’s FOSS.
  2. They’re saying they’re a Latvian based company, but apparently, this is false. No employees of their actually work there from what I’ve read. I understand, why they’re doing this though (geo-political reasons). It’s still a lie though and it makes me lose trust (what else are they lying about)?
  3. They seem to support the Russian regime and war and have ties with the government. Again, not sure if this is true, I’m just reporting from the article and posts I linked. Why would I care about this? If I knew your best friend really well and that I knew he was a mythomaniac, then I would not trust you either or at least be on my guards.

Yes this is exactly it. Problem is there are no other choices. Either I use Libre Office which I don’t like the UI. Or I go back to MS Office, which I don’t like either because it’s MS.

Thanks for those suggestions. I’m not savyy enough to get into packet analyses.

What I’m looking for instead is the confirmation that people actually did check that or some sort of report that the code has been audited and is fine.

  • How do you know code is not audited? Or at least network connections are not analized? I did some check, and after initial start, it later connects only to https://oforms.onlyoffice.com/ so you can get needed templates. And all the servers it connected to were in Europe (GB, IE, DE)
  • Portmaster is easy to use, and you can block program’s access to internet
  • LibreOffice UI can be changed, to look similar to others (Ribbon)
  • If at the end you decide go for propertairy suite, there are more private options than MSO
2 Likes

Is there a reason nobody here is recommending SimpleWall? I find it a lot easier to use than PortMaster, and it will allow you to run OnlyOffice with no internet connectivity.

2 Likes

I don’t. I’m simply stating what I read from either article or what someone else. I wasn’t able to find anything on it being audited online so if someone has some info on this, please let me know.

Also, this new thread I saw just sink my trust even more lol.

I tried it for a week. I didn’t like it. Also, Draw’s UI is terrible (to me) as a pdf program. If it weren’t for Draw, I might have stuck with LO. There doesn’t seem to be any FOSS that can edit, fill and sign pdfs. Except for OO.

I’m not sure how to use Portmaster or simplewall, but it seems that would be the best solution has many seem to recommend that.

Actually, can Windows Defender do that? (Yes I use it, please don’t derail :stuck_out_tongue:).

Could someone tell me how?