After you open the suspect file in that sealed box, Dangerzone uses the open-source software LibreOffice to convert anything that's not already a PDF
After you open the suspect file in that sealed box, Dangerzone uses the open-source software LibreOffice to convert anything that’s not already a PDF to a PDF format. It then uses the open-source software Poppler and ImageMagick to reduce that PDF further to red, green, and blue pixels. From those raw visual ingredients, it rebuilds the document in a second container, recreating a sanitized PDF with no hidden code, animations, or even web links. (Thanks to that pixel-rebuilding process, the software outputs a PDF regardless of the file format it takes in.) Dangerzone also uses the optical character recognition software Tesseract to convert letters and numbers in the PDF back to machine-readable text, letting you copy text from and search the file.
Think of it like taking a piece of paper that someone has sneezed on and putting it in a Xerox machine. The copy that comes out is visually identical to the original, but carries none of the potential risk of infection.
Also like that Xerox copy, the documents that Dangerzone produces aren’t exact replicas. When WIRED tested an early version of Dangerzone, it worked perfectly to create sanitized PDFs out of most PowerPoint, Word, and PDF files, though it took as much as a few minutes in some cases to convert them. But other document types came out more mangled: GIFs, as you might expect, turned into non-animated, multi-page PDFs filled with some strange pixelated images on some pages. Excel spread sheets turned into collections of numbers and floating on white pages rather than a neat grid, and some PowerPoint slides were rotated 90 degrees for some reason. One PowerPoint with an embedded video resulted in a “Failed :(” message.
Despite those quirks and a few lingering bugs, Dangerzone represents a long-overdue attempt to help ordinary people open attachments without fear, says Harlo Holmes, the director of newsroom digital security at Freedom of the Press Foundation. Holmes points out that some technically sophisticated and paranoid users already use other tricks to neuter dangerous attachments, like opening them in virtual machines, or in the ephemeral operating system Tails, or by exploiting a feature of the operating system Qubes that can convert PDFs to “trusted PDFs.” But Dangerzone, at least when it’s out of its testing phase, will bring the same security to the overwhelming majority of people who don’t run obscure operating systems or casually spin up VMs. “This is going to equalize everyone’s security when they open stuff on their computers day to day,” Holmes says. “It simplifies everything and gives people a vast degree of security they wouldn’t have had otherwise.”
Holmes warns that, like any security software, no one should put too much trust in an early test version of Dangerzone. Lee himself concedes that an attacker could find vulnerabilities in LibreOffice—which Dangerzone uses to open documents—and also in Docker, which combined could let malicious code break out of the quarantine and run on a target computer. But Dangerzone nonetheless significantly raises the bar for attackers, and thanks to its simple design doesn’t present any obvious ways to defeat its security. “It still has quite a ways to go before anyone should blithely just run it and expect it to stand up to the most targeted and extreme cases,” Holmes says. “But the simplicity of it goes a long way.”
For the vast majority of people who have to open files sent to them by strangers on a regular basis, even an imperfect solution may be better than the alternative: Double-clicking on that shady attachment and rolling the dice.
More Great WIRED Stories