Dangerzone receives favorable audit
Freedom of the Press Foundation
February 14, 2024
Journalists encounter electronic documents in a variety of formats in the course of their work. Spreadsheets documenting a politician’s expenses might show evidence of a lavish party taking place during a health lockdown. A PDF file might contain a proposal for a controversial military operation.
However, these documents could be digital traps, sprung by adversaries to gain access to a newsroom’s files. Any electronic document may contain malware targeting the software that’s used to open it. In the worst case, a powerful attacker may exploit a vulnerability for which there aren’t yet any security updates.
To address those risks, Dangerzone was initially developed by Micah Lee, a journalist, security engineer, and software developer. It is a cross-platform application for Mac, Windows, Linux, and Qubes OS to help anyone review electronic documents with significantly reduced risk. It does this by essentially creating a “virtual photocopy” of the document in a secure sandbox.
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
In 2022, Freedom of the Press Foundation (FPF) took on the continued development and improvement of Dangerzone in partnership with Lee. When it comes to security, we believe that journalists shouldn’t just have to take our word for it. That’s why, with support from the Open Technology Fund, we requested an independent security audit of the software.
In December 2023, Include Security completed an audit of the Dangerzone application and website, in a span of 12 days. This included exploratory use of the tool, manual code review, manual dynamic testing, software scans, an architecture review, a sandbox configuration review, and a review of our preliminary support for Qubes OS.
Include Security identified the following categories and numbers of findings: “Critical-Risk”: 0; “High-Risk”: 0; “Medium-Risk”: 0; and “Low-Risk”: 3. The Dangerzone team has already prioritized work on the low-risk and informational findings. Please find the full report, and our assessment of selected findings, below.
Our work on Dangerzone is far from over. With help from OTF, we are currently undertaking a review of Dangerzone’s user experience. We are also making continued architectural improvements to lay the groundwork for simpler installation, quicker updates, and new functionality. To stay up-to-date, follow Dangerzone on Mastodon.
We encourage users to read the security assessment of Dangerzone (FPF copy · Include Security copy), which documents the findings in great detail. As developers of Dangerzone, we would like to highlight findings L1, L2, and I7, and mention our course of action.
For macOS, Include Security suggested that we can further harden the Dangerzone application, i.e., the graphical user interface that users see. Note that attackers cannot directly target the Dangerzone application, but it's still important to protect it, since it interacts with the files that have been produced in the untrusted conversion sandbox. The proposed way to harden the Dangerzone application is via stricter macOS entitlements, which we are actively working on.
We are tackling this issue. For technical details and progress updates, see https://github.com/freedomofpress/dangerzone/issues/638
Dangerzone uses the LibreOffice suite internally for opening some document types. Include Security pointed out a new LibreOffice setting that disables potentially security-sensitive features en masse. Dangerzone already opens documents with macro execution disabled, but disabling other unnecessary features is a very welcome addition.
We plan to enable this security setting in a future release. For technical details and updates, see https://github.com/freedomofpress/dangerzone/issues/379
Dangerzone is designed under the assumption that, sooner or later, attackers will gain access to the untrusted sandbox. This can be achieved via a specially crafted document that targets a vulnerability within the sandbox. That's why we harden this sandbox to ensure that even in that case, the malware stays contained.
However, our goal is to ensure that the sandbox has no known vulnerabilities by keeping it as up-to-date as possible. Our container image is continuously scanned against known CVEs, or common vulnerabilities and exposures, and we are committed to releasing a new Dangerzone version whenever a CVE critically impacts the security of the sandbox. The 0.5.1 release, which happened during the security audit and addressed the CVE findings, is an example of our policy in action.
: We plan to make container updates more frequent and noninteractive, so that users are protected in depth. For technical details and news, see https://github.com/freedomofpress/dangerzone/issues/698
The following table provides background or a relevant tracking issue for all audit findings.