Two PDF privacy/anonymity risks (and possible Whonix suggestions)

I know that privacy is different from anonymity, but assume Whonix devs and community care about both quite a bit!

Two possible concerns about opening PDF files in Whonix:

1. When clicking on a hyperlink inside a PDF file, is it possible that ‘HTTP referrer’ info (e.g. with the PDF filename in the referrer) is leaked to the hyperlink’s webserver and thus being a privacy concern (and also anonymity, if the user has ever clicked on the link outside of Whonix and the conditions are obscure enough)? I don’t have a webserver to test my own test link with but am very curious. What could be done if this is the case? A warning message inside the existing ‘confirm open’ dialog at the very least?

2. In Okular, Whonix’s PDF reader by default, in settings ‘Obey DRM limitations’ is ticked by default. Now, I have come across this alarming PDF technology: https://www.locklizard.com/track-pdf-monitoring/. It appears to be a way to track users opening a PDF via PDF DRM technology. Can anyone find or generate a PDF with DRM tracking code in it and confirm that this priv/anon risk? Suggestion: at the very least, please Whonix devs change the Workstation template VM to have that Okular setting unticked by default (if that is possible via .conf files in the filesystem).

Thanks and stay safe

If one wants to avoid this they could choose to disconnect internet access to the workstation VM and open them?

Or just set Qubes to open all PDFs in a DispVM that is set with no network access?

General principle is opening various media formats is dangerous. Loaded PDFs have got to be up there exploit-wise.

Should be preferably isolated VM-wise, or sandboxed when opening etc possibly with line disconnected manually as HulaHoop mentioned.

BTW On a related matter, I wouldn’t ever leak electronic instances of high security documents by trusting some “file cleaner” application (#1 is the real threat below). But our wiki doesn’t highlight the severe risks of this approach?

1. They regularly imbed steganographic messages in high value docs these days. See here:

http://blog.fastforwardlabs.com/2017/06/23/fingerprinting-documents-with-steganography.html

2. Zero width space (homoglyph substitution) is another technique. It means you can’t see additional zero-width characters, but it can be used to fingerprint text.

https://www.zachaysan.com/writing/2017-12-30-zero-width-characters

Moral of the story, if you’re a high level leaker, you go to the trouble of manually retyping the disclosures in all their glory in some kind of basic format that can be stripped clean easily and then onionshare it.

What you don’t do is leak the original source doc after running it through some (hopeful) cleaner, which does squat to the multiple embedded signatures, which then leads you to jail or exile when leaked “anonymously”.

Other recommendations from that link above:

Countermeasures for journalists or others engaged with leakers, in decreasing order of effectiveness:

• Avoid releasing excerpts and raw documents.
• Get the same documents from multiple leakers to ensure they have the exact same content on a byte-by-byte level.
• Manually retype excerpts to avoid invisible characters and homoglyphs.
• Keep excerpts short to limit the amount of information shared.
• Use a tool that strips non-whitelisted characters from text before sharing it with others.

Good stuff here, could you document all of this PDF (or docs?) related stuff please? @torjunkie

That would be good. However, too many development tasks, too few developers. So please create a ticket a phabricator.whonix.org and then don’t hold your breath for it. @AnonymousUser

Or switching to a simpler pdf viewer without any remote content fetching / drm features. A simpler viewer. Are there any? @HulaHoop

And/or as a stopgap could we prevent outgoing internet connections by okular using apparmor? @troubadour

https://packages.debian.org/stretch/mupdf
https://packages.debian.org/stretch/zathura

Its a question of underlying libs poppler vs Mupdf. Zathura and Okular both use poppler. By looking at the CVE history (though not a good metric) MuPDF has less vulns. Given

https://forums.gentoo.org/posting.php?mode=quote&p=6984142

Mupdf is the clear winner.

Mupdf is a PDF (1.7) and XPS rendering lib written in C from the ground up (sort of… based off of libart). There are no plans to implement interactive features (form filling). It does have a minimal interface but it is actually intended as a library. It is developed by Artifex, the same guys responsible for GhostScript. Poppler is a PDF library that came from a fork of Xpdf and has been used all over Linux for years now for PDF handling. The code is a bit ugly and unwieldy.

The focus of MuPDF is on speed, small code size, and high quality anti-aliased rendering. Poppler, on the other hand, probably has wider PDF feature and edge-case coverage since it has been around so long and is and widely deployed.

OK - will do.

-> Fixed

Hi Patrick, a month later I’ve tried again to register at phabricator.whonix.org (I tried on the day you first suggested I create a ticket) but the activation email simply never comes. If someone can PM me working conditions (what email service to use, anything else to make sure it works) I’d appreciate it so I can contribute to the tickets or bug reports like I was advised here. Thanks!

@torjunkie, where in the wiki did you document it? A cursory search of ‘PDF’ didn’t seem to show it for me.

Hi AnonymousUser

Have you been trying to register using .onion e-mail domain? I know there are some providers that have Tor-to-Tor e-mailI. There have been account requests every so often from this type e-mail address. Mostly spam bots. Could this be why you are not receiving a verification e-mail? Anyways, you can shoot me an e-mail 0brand@protonmail.com and I can get that account set up for you. For setting up an e-mail account:

https://www.whonix.org/wiki/Support#Creating_an_Anonymous_Email_Account_for_Support

EDIT:

I just approved your account so you should be all set. If you have any problems please let me know. (e-mail or forum)

Hi,

The info is split across two wiki entries:

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Metadata

&

http://dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/DoNot#Do_not_Open_Random_Files_or_Links

(yeah - we should probably have a stand-alone PDF page somewhere, but there’s always something else to do. Wiki contributions welcome )

Please post your account name and a very brief summary what you are doing to report here:

phabricator account sign-ups now needs manual confirmation

(This is just an anti spam measures.)

Your account will be enabled then by @Algernon . Even without working e-mail address. A working e-mail address would be beneficial for you anyhow so you get notifications. But it’s not mandatory and can be sorted later.

There is also a slim chance there was an issue with our whonix.org mailer. Or somehow your e-mail provider blocks messages from whonix.org. If you want that fixed please mail fortasse and cc me from your e-mail address.

https://www.whonix.org/wiki/Contact#For_Website_Issues

Hi Patrick

I assumed that this all that was needed for account approval (brief summary of what issue user would like to report)

An account request from this user showed up on phabricator so I approved it.

Should I not have approved the account? I’m a little confused.

0brand:

I assumed that this all that was needed for account approval (brief summary of what issue user would like to report)

Right.

An account request from this user showed up on phabricator so I approved it.

Perfect.

Should I not have approved the account? I’m a little confused.

Approval is ok. Did not know already was.

Thanks for the tip on phabricator signup. So I can’t remember what I signed up with a month ago, I didn’t even save the username or password (or email) as it just kept on not working so I gave up. It may have been ‘AnonymousUser’ but I wouldn’t have the password (or email) on me for that account now…

But what I used in the last 24 hours (and please activate), is ‘AnonymousWhonixUser’. My initial intention is to follow the suggestion of Patrick to put the suggestion of that modified Okular default setting in whonix template as an official ticket, even if it’s a small request, as I want to show my support to the project and commitment to its success. After that, who knows, maybe some future tickets as well after first posting them in the forums. I’m always full of ideas.

And thanks for the link to the wiki, glad that was documented.

Hi Patrick

Time line…

1. Saw AnonymousUser forum post. Remembered an account request from an AnonymousUser when I first started helping out. Recalled sending a verify e-mail.
2. Asked AnonUser to send me e-mail (wanted to verify was same user). Once received I was going to send a Phabricator invite to see if that worked
3. Went to to find original verify e-mail I sent to user. Saw AnonUser new account request. Approved account.
4. Saw your post, thought I messed up

Hi AnonymousUser

I checked and I found your original account request from a month ago. I sent a verify e-mail I guess you didn’t receive it. Its possible your e-mail filter sent it to your spam folder?

I checked phabricator; saw and approved your new account request. Could you please try logging into phabricator.whonix.org

If you are unable to login could you please head over to this thread to report your problem

phabricator account sign-ups need manual confirmation

This way we can keep thing nice and tidy.

I missed tat one.

Seemingly, there is no way to prevent outgoing internet connections with apparmor.
Basically, the kernel lacks the code to block the network connections. See

Tried in Tor Browser profile deny network inet, deny network inet6, which is supposed to block ipv4 and ipv6. It confirms the reply in the link above. TB is still running happily.

However the line deny network raw (blocking socket access) might help, partially. For testing, I wrote a short profile for ping. Ping is not allowed in Whonix and returns

From xx.xx.xx.xx (xx.xx.xx.xx) icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
...

With the profile enforced, it returns

ping: socket: Operation not permitted

and exits.

For what it’s worth, the okular profile is updated.

troubadour:

I missed tat one.

Seemingly, there is no way to prevent outgoing internet connections with apparmor.
Basically, the kernel lacks the code to block the network connections. See

https://unix.stackexchange.com/questions/414490/how-to-deny-applications-access-to-network-by-apparmor

Tried in Tor Browser profile deny network inet, deny network inet6, which is supposed to block ipv4 and ipv6. It confirms the reply in the link above. TB is still running happily.

Speculation: This might be because Tor Browser is using unix domain
socket files. No IPv4 / IPv6 / TCP. So Tor Browser is not a prime test
target for this.

However the line deny network raw (blocking socket access) might help, partially. For testing, I wrote a short profile for ping. Ping is not allowed in Whonix and returns

>From xx.xx.xx.xx (xx.xx.xx.xx) icmp_seq=1 Destination Port Unreachable
ping: sendmsg: Operation not permitted
...

It’s blocked in Whonix firewall since Tor wouldn’t support ICMP. So we
get a better error message.

With the profile enforced, it returns

ping: socket: Operation not permitted

and exits.

Interesting!

For what it’s worth, the okular profile is updated.

https://github.com/troubadoour/apparmor-profile-okular/commit/cc47fef3aeddad2abaec9845692149a2464dcbcf

Merged!

Man, this attempt to register at phabricator is quite an odyssey. The email provider I used for ‘AnonymousWhonixUser’ blocked me (thinking I got hacked after detectig weird IPs).

So this third time I’ve signed up a THIRD account called ‘ThirdTimeLucky’, using a .onion-hosted (but DNS-compatible) email that I’ve tested does receive emails at its webmail. The verify email worked so it only needs the admin approval now. Looking forward to it working please let me know.

I love that you’ve committed a network plug into okular. But I can still create a ticket for the DRM setting to be unticked on phabricator as that’s a separate technical item, right?

Done! Please let me know if you have any problems signing in.