Stirling-PDF icon indicating copy to clipboard operation
Stirling-PDF copied to clipboard
Published 1 day ago verified publisher icon Stirling-Tools

[Feature Request]: Integrity check

Open IkelAtomig opened this issue 1 year ago • 4 comments

Feature Description

An integrity check based on a specific value to know if a public instance is using docker image as is or modified the image to save files that are meant to be not saved at all violating user privacy.

Why is this feature valuable?

It assures user's data privacy and confidentiality.

Suggested Implementation

This will show a specific hash of the current Docker image in either corner of the app webpage. Which will then check with the hash that is on a file in this GitHub repository, separate file corresponding to separate point releases. If the hash matches, The Icon says “Private & Secure”. If not, “Not secure :warning:” when clicking on it, it will explain that server using the open source software might have modified the source code and is not recommend to use this instance of server to protect your privacy.

Additional Information

I think config files should also be considered for hash calculation.

No Duplicate of the Feature

  • [X] I have verified that there are no existing features requests similar to my request.

IkelAtomig avatar Oct 05 '24 08:10 IkelAtomig

I've thought about this before but decided against it as it gives a false sense of security At the end of the day anyone with the knowledge to change the source code has the knowledge on how to spoof this check and make it appear safe

Frooodle avatar Oct 05 '24 09:10 Frooodle

I believe it depends upon the implementation. You need to build the image, with the integrity check as a separate runtime component. Without it, the image won't build. If someone builds without the check, the image won't work. I understand it's way overkill. But sometimes it's the best way.

Kind of like DRM in streaming sites.

Oct 5, 2024, by @.***:

I've thought about this before but decided against it as it gives a false sense of security At the end of the day anyone with the knowledge to change the source code has the knowledge on how to spoof this check and make it appear safe

— Reply to this email directly, > view it on GitHub https://github.com/Stirling-Tools/Stirling-PDF/issues/1992#issuecomment-2394990987> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/AYJXNKFDOUUH4C3FAMFTFILZZ6UKNAVCNFSM6AAAAABPNEVRG2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGOJUHE4TAOJYG4> . You are receiving this because you authored the thread.> Message ID: > <Stirling-Tools/Stirling-PDF/issues/1992/2394990987> @> github> .> com>

IkelAtomig avatar Oct 05 '24 09:10 IkelAtomig

Couldn't they just modify the check or remove it completely?

sbplat avatar Oct 10 '24 13:10 sbplat

Anthony, thanks a lot you deleted it. It's a PowerShell script. Being in Linux has its own advantages.

I just saw my mailbox and opened in my android. It copied a PowerShell command to fetch from a server and execute thing. I was confused as it would be KDE connect copying something from my PC clipboard. Instead, it was the webpage.

We all might need to use a separate PC/VM for development because of these bad actors.

IkelAtomig avatar Oct 26 '24 06:10 IkelAtomig

Sadly going to close this ticket as I don't think its achievable and only will give false hope

Frooodle avatar Nov 12 '24 22:11 Frooodle

A simpler idea. After container is started and loaded. A binary calculates the hash of the binaries inside the container and compares it with release and says "Secure" ?

It might hit somewhat functionality wise but I don't what else is false hope regarding this.

IkelAtomig avatar Nov 21 '24 08:11 IkelAtomig

The problem is that the binary could be modified (so it shows secure when the hashes don't match). If you know the binary has never been tampered with, then it's fine, but how can you guarantee that. Unless they manually verify the binary checksum, but at this point why not just verify the checksum of the docker image itself?

sbplat avatar Nov 21 '24 13:11 sbplat

The docker image will have unloaded its content during run time and has no access other than display webpage.

Another thing we could do is process all files in Encrypted memory page and also transmit to server encrypted. Kind of how E2E but in this case we use something such as an encrypted zswap or zram for files that are processed in server. 21 Nov 2024, by @.***:

The problem is that the binary could be modified (so it shows secure when the hashes don't match). If you know the binary has never been tampered with, then it's fine, but how can you guarantee that. Unless they manually verify the binary checksum, but at this point why not just verify the checksum of the docker image itself?

— Reply to this email directly, > view it on GitHub https://github.com/Stirling-Tools/Stirling-PDF/issues/1992#issuecomment-2491113797> , or > unsubscribe https://github.com/notifications/unsubscribe-auth/AYJXNKCXJ2WO7UHTQN3K7I32BXL5HAVCNFSM6AAAAABPNEVRG2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJRGEYTGNZZG4> . You are receiving this because you authored the thread.> Message ID: > <Stirling-Tools/Stirling-PDF/issues/1992/2491113797> @> github> .> com>

IkelAtomig avatar Nov 21 '24 17:11 IkelAtomig