Comment by dfajgljsldkjag
14 hours ago
I personally just upload them to google drive. It would be a serious pwn if they could somehow still do a compromise through google drive.
14 hours ago
I personally just upload them to google drive. It would be a serious pwn if they could somehow still do a compromise through google drive.
(disclaimer: one of the Dangerzone devs)
That's something I do from time to time as well. AFAIK Google Drive renders all documents on the server-side (which implicitly means that they don't trust the browser sandbox), so that's a reasonable price to pay for less privacy.
Dealing with sensitive documents though is another story, you just can't upload them to a third-party service. That's where projects like Dangerzone come into play.
Does google drive apply any transformation over the PDF, or are you effectively loading the same document in your browser on the round trip?
I often view PDFs in Drive, and it's definitely not just displaying the document with the native web browser. It is rendered with their "Drive renderer", whatever that is. They don't even display a simple .txt file natively in the browser.
They have some kind of virus scanner for files you open via a share link. Not sure about the ones you have stored on your own drive unshared.
But probably the main security here is just using the chrome pdf viewer instead of the adobe one. Which you can do without google drive. The browser PDF viewers ignore all the strange and risky parts of the PDF spec that would likely be exploited.
And yet browser PDF viewers still have vulnerabilities and hackers keep finding sandbox escapes.
Do you have any specifics on what Drive does? Any examples of it fixing embedded virii? Or is this blind assumption?
I assume they mean "upload to drive and use the web based reader to view the PDF," not "upload to drive and download it again"
And what special sauce does the web preview use? At some point, someone has to actually parse and process the data. I feel like on a tech site like Hacker News, speculating that Google has somehow done a perfect job of preventing malicious PDFs beckons the question: how do you actually do that and prove that it's safe? And is that even possible in perpetuity?
4 replies →
Firefox has a builtin PDF reader, PDF.js, that resides inside of the Javascript sandbox. In theory, it's as safe as loading a webpage.
So not actually all that safe since sandbox escapes happen all the time. PDF.js has had many vulnerabilities as well