Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for trusted PDF generation #235

Closed
eloquence opened this issue Jan 29, 2019 · 4 comments
Closed

Add support for trusted PDF generation #235

eloquence opened this issue Jan 29, 2019 · 4 comments

Comments

@eloquence
Copy link
Member

Export (#21) is a must-have feature for the beta; if we limit export to originals, we risk malware exposure once a PDF or other potentially problematic document is copied to another environment.

Qubes has first-class support for the creation of trusted PDFs (repo, technical background) in disposable VMs which is a good early functional target to integrate.

For simplicity, this could be integrated into the export processing workflow, so that any document that lands in the USB-connected export VM is already sanitized.

User Stories

As a journalist, I want to make sure that a PDF I export to another computer is safe, so that I do not accidentally compromise my news organization's security when sharing submissions from anonymous sources.

@eloquence
Copy link
Member Author

An architectural decision here will be whether or not the client should keep track of processing steps and derivatives, e.g., hold on to trusted PDFs. Processing pipelines can get quite complex (redact -> generate trusted PDF; remove image metadata -> convert file format -> rename, etc.); if the client needs to hold on to all derivatives and the hierarchical and chronological relationship between them, that could get very complicated very fast.

If we treat disposable export VMs are the point of alteration of documents, and leave it up to the news organization to organize them in a manner that makes sense outside of the context of the client, that may be much more manageable, and more realistic and in line with their real-world usage. The client, in this model, would be the source of truth for all file originals, but never for derivatives.

@ninavizz
Copy link
Member

^ The ux kid personally favors the latter option. Would love a step-thru on Qubes tomorrow, of what their current "Create Trusted PDF" workflow looks like, from File Manager!

@eloquence
Copy link
Member Author

For the beta, the current plan of record is to strongly encourage use of print, and to add appropriate security warnings to the export dialogs. We may not be able to do much beyond that.

I do think it's worth thinking about a safe way to export documents to a work VM, where such tools can be installed, and from which they can be sent to the USB drive. It would be simplest for this to be sd-export-usb itself, but I understand there's a security argument for adding another VM for this purpose.

As we did with the very first export iteration for the alpha, this could be the kind of process we document manual steps for, and then think about supporting explicitly in the client.

@eloquence eloquence modified the milestones: 0.2.xbeta, Post-Beta Mar 19, 2020
@eloquence
Copy link
Member Author

Closing for now in favor of freedomofpress/securedrop-workstation#26 , we can open a more clearly scoped issue once we have a plan for implementation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants