Author: Richard Brock

CODE & Collabora Online 23.05.4 Released with New Font and QR Code Features

Richard Brock Leave a comment

They say time waits for no man, and that’s certainly the case at Collabora. Our latest update to Collabora Online Development Edition has now been released, with a number of exciting new features and improvements, including font previews, QR and barcode generators, as well as a number of bug fixes and performance improvements.

Font Previews

Gone are the days of guessing what a font might look like, with our new font preview drop down, you can immediately view a sample of the font before applying it to the document.

Preview fonts before selecting them

Barcode/QR Code Generator

New to Collabora Online, create and edit barcodes and QR codes with the easy to use QR and Barcode generator dialog. Produce modern documents, with all the functionality you and your users expect and need.

Insert QR codes within documents

Additional Fixes

As well as the exciting new functions listed above, a number of bug fixes have also been carried out, including:

  • Fixed: Navigator Sidebar: Headings Do Not Update Nesting Instantly
  • Fixed: Calc: With multiple views, an edited comment is committed when the other user switches sheets
  • Fixed: Calc: Elements in Chart Type dialogue when editing chart positioned incorrectly
  • Fixed: Calc: Wrong column width after save .xlsx file
  • Fixed: Dark Mode – Document and text is dark
  • Fixed: Calc: No info is shown that spreadsheet is read-only
  • Fixed: Android app or browser: cannot open PDF
  • Fixed: Notebookbar: Online help mixed with keyboard shortcuts (economed)
Try the Online Demo

4 Reasons To Take OWASP Regulations Seriously

Richard Brock Leave a comment

Developers must never rely on client-side access control checks.1

With this simple statement, OWASP are putting a very big question mark over the head of any document editor that performs access controls in browser. So what is the big deal, and are client-side access controls really that bad? In this quick post, we’ll find out.

Distributing Data

What happens when a government employee views your tax records, the bank assesses your mortgage application, or your lawyers share documents regarding your case with each other? Depending on the application they are using, it turns out the first operation may well be for the server to make copies of the document for every editor or viewer, before sending the copies to each user’s device. In case it isn’t immediately obvious, this distributive flavour of document editing is extremely concerning for a number of reasons.

1. Lack of Server-Side Enforcement

As mentioned above, one of the core principles of OWASP regulations is enforcing security measures at the server-side. However, when full documents files are sent to the browser for editing, the server loses control over the data. This immediately undermines any ability to enforce security policy.

2. Vulnerabilities

If data files are sent with code to execute policy in the browser, then a malicious script, acting as a “browser” can simply download the document data and discard the policy logic. This exposes the data to potential cyber-attacks and data breaches. OWASP regulation 4.1.1 states this very simply as, “Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed”2, since “client-side logic is often easy to bypass”3. Whilst organisations rightly have training about whether secure USB sticks should or shouldn’t be used with company laptops, nobody is talking about the 3rd party access freely given by company servers to anything pretending to be a browser.

3. Duplicates

When dealing with sensitive (or arguably any) data, the last thing we should think about doing is photocopying it. TOP SECRET – EYES ONLY is a phrase we are familiar with from the world of spies and espionage, yet so often overlooked in the online world. We naively assume that this couldn’t be an issue with our document editor, yet with many services this is precisely what happens when we start a viewing session. Regulation 4.1.5 states developers should “Verify that access controls fail securely including when an exception occurs.” It’s impossible to imagine how any developer can possibly verify such a fail-safe system however when the one of the primary functions of a data centre is duplicating files before distribution to any user.

4. Data Sovereignty and Compliance

Many industries are bound by strict compliance requirements and regulations. Whilst the question of where large data centres are based is beginning to be understood and grappled with, many are overlooking the question of data stored in the cache of users’ browser. Call it what you want, but if this is the way your document editor functions, you are operating a series of international data centres. With just a few clicks and the magic password ‘F12’, the browser will show the cached documents straight away.

Conclusion:

Governments or organisations that handle financial records, medical information, intellectual property, or indeed any other data, need to carefully assess whether their document editor is operating in a manner consistent with their own regulations and OWASP guidelines. The implications of sending full copies of documents to every browser are many, and extremely questionable. Genuine server-side policy enforcement is the only way to maintain real security. Collabora Online sends a pixel based view of a document to the end user, whilst the full document data remains safely under your control.

 

Keep your data secure with Collabora Online.

Try the Online Demo

Collabora Online – Safe, Powerful, Flexible.

 

 

1 https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

2 https://raw.githubusercontent.com/OWASP/ASVS/v4.0.3/4.0/OWASP%20Application%20Security%20Verification%20Standard%204.0.3-en.pdf

V4.1 General Access Control Design
4.1.1 Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed.
4.1.2 Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.
4.1.3 Verify that the principle of least privilege exists – users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. (C7)
4.1.4 [DELETED, DUPLICATE OF 4.1.3]
4.1.5 Verify that access controls fail securely including when an exception occurs.

3 https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html

Why Better Accessibility Is Better For Everyone

Richard Brock Leave a comment

Accessibility isn’t just a matter of compliance, it’s a commitment to fairness. When content is accessible, it becomes a bridge that connects people, regardless of their circumstances. For instance, individuals with visual impairments can have text read aloud to them through screen readers, while keyboard shortcuts enable those with mobility limitations to navigate without a mouse. Furthermore, it is our firm belief that improvements in document accessibility can be win for everyone, impaired or not.

As such, at Collabora Online we are committed to bringing the best digital experience we can to all our users, and with our latest release are one step closer to making inclusivity a reality for every individual, regardless of their abilities or challenges.

Screen Readers

One of the key features of document accessibility is that documents are readable by screen readers. Screen readers are software programs that read text aloud for people who are visually impaired. To make a document accessible to screen readers, it must be structured in a way that is readable by the software. This includes using headings, lists, and tables to organize the content in a logical and easy-to-understand way.

In order to further improve document readability, we have added an accessibility checker which will highlight areas that require improvement, both adding to a document’s structure and logical flow, as well as flagging specific issues for screen readers.

Additionally, we’ve introduced a new feature that allows screen readers to access menus and dialogs. This change will make it easier for those with visual impairments to navigate and interact with their documents through text-to-speech or braille displays. With our new initial screen reader support, we’re working to ensure that no one is left behind in a digital world.

Keyboard Shortcuts

Another important feature of document accessibility is that documents can be used with only a keyboard. Some users may not be able to use a mouse, so providing keyboard shortcuts and making sure that all controls and links can be accessed with keyboard commands is essential to ensure access for all.

The latest 23.05 release also brings an improvement to our previously existing keyboard shortcut interface, enhancing the user experience for all Collabora Online users.

Dark Mode

The introduction of Collabora Online’s Dark Mode UI isn’t just a stylistic choice, it’s another step towards enhancing visual accessibility and user comfort. Dark Mode has been carefully designed to alleviate eye strain and mitigate other visual accessibility issues that users may face. By reducing the overall brightness and minimising glare, Dark Mode creates a more soothing and comfortable environment for extended periods of document creation and collaboration. We plan to work on low contrast themes next.

Benefits for Everyone

Improving online accessibility is beneficial for everyone by providing a better, more logical and usable user experience. Documents with a clear structure that are easier for screen readers to understand, will also be more easily read by those who do not require screen readers. In the same way, clearer user interfaces, with intuitive shortcuts, will help everyone who is writing, editing, or reading a document. With this attitude in mind, we are very pleased with the latest improvements to Collabora Online, and are confident that as we seek to make Collabora Online more accessible to those with the biggest challenges, we are at the same time improving the experience of all.

Stay tuned over our next releases to see the continuous improvements in accessibility for all.

How Collabora Online Makes GDPR Compliance Easy

Richard Brock Leave a comment

Is your online office suite state of the art?

What is the General Data Protection Regulation, or GDPR for short?

The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.

Well that sounds scary, but what does GDPR really mean for businesses and how they collect and store data? In this quick guide, we will explain what you need to know about GDPR with a focus on how it relates to services such as Office365, Google Docs and Collabora Online.

Under GDPR, if a data ‘controller’ (an organisation that collects any personal data) wants to share personal data with a third-party ‘processor’ (an organization that processes this data, for example Microsoft or Google), they must ensure that the third-party processor provides sufficient guarantees that they will implement appropriate technical and organizational measures to protect the personal data. Even without sharing with third parties, the controller must also show that when “taking into account state of the art” technology, they are incorporating data protection “by design and by default”.

And if all this seems very abstract, it might be worth considering according to German legal firm CMS, there have been over 1,600 fines issued in the last five years, with the average fine a little over €2,400,000. These range from headline grabbing figures for Meta and Amazon, to hundreds and thousands of euros for small and medium businesses, hospitals, government administrations and other companies dotted around the world with European users. After removing the 45 individual fines over 1 million euros for this period, we calculate the average fine comes out at more than €300,000. Got your attention yet?

So what is “state of the art”, and “data protection by design and by default”. At Collabora, we believe the highest level of protection means having the strongest access control requirements, and for this, no-one else does or can do better.

Where is your data?

As technology and the internet has developed, file sharing and collaborative working have become vital for anyone trying to run an efficient business, or even just set a monthly budget or write a letter. We send files in email attachments, in messaging apps, through different file sharing websites, or on a USB stick. We know that there are bad actors ‘out there’, but as long as nothing happens to us, we try not to think about it too much.

 

The internet is a scary place if you’re on your own

But clearly this is not “state of the art”. The internet is a scary place, and if your data is out in the open like this, anyone could access it.

End to end encryption

Most businesses and applications however recognise the issue here, and the current received wisdom is that ‘end-to-end encryption’ will save the day. To offer you a quick refresher – the general idea with end-to-end encryption is that in order to prevent someone reading a letter who shouldn’t have access, the sender puts a padlock on their letter before putting it in the post, which is then unlocked upon arrival by the recipient. Postman Pat and the rest of the delivery company have no idea what was in the letter, everybody is happy. Sounds good right?

Yet there is an obvious issue staring us in the face with this methodology – it is only end-to-end. A well-intentioned attempt to keep corrupt postmen or system administrators away from your letters or stored data perhaps, but in terms of keeping your data safe in the wider scheme of things, utterly useless! As anyone who’s ever misplaced a letter, had someone read over their shoulder, or indeed had their house broken into can attest to. Where either end might be, who or what is going on there is literally anyone’s guess. End to end encryption also means – you can kiss goodbye to any guarantees of having a malware free server, you certainly can’t scan for viruses anymore or respond fully to a lawful freedom of information request. Nevermind the security implications of what happens when you or one of your staff leaves an ‘end’ with confidential data on it in a bar or taxi or train by mistake. The British government alone reported a total of “96 laptops, tablets, smartphones and other devices lost by or stolen from parliamentary staffers between January 2019 and December 2020, with one device disappearing within Downing Street itself”.

End-to-end encryption, then what?

As far as mitigating this issue goes, companies are left up the creek and without a paddle by this approach. Company laptops are issued that must themselves be encrypted to hopefully secure that end if it is ever lost, and personal laptops are banned, or further lengthy BYOD policies enacted with spurious levels of enforcement.

In the same way that welding your front door shut but leaving the window open is hardly safe, it’d be difficult to honestly argue that this is “data protection by design and by default”. In fact this lack of clarity over what happens at the server ‘end’ is precisely why the German and French governments are taking action to ban some public services from using Office 365 or Google Workspace.

Look, but don’t touch!

So must we accept our valuable data can never be truly safe? We don’t think so! The British Crown Jewels are estimated to be worth upwards of £3 billion. They have lived in the Tower of London since 1661, guarded by the British Army, rarely leaving the premises, yet they have been open to public viewing for most of this time. Within the castle grounds they are viewed by 2-3 million visitors every year, and the only attempted theft ended in failure in 1671. Perhaps our modern collaborative working arrangements could learn something from this open, but secure setup. Is there a way to enable users to view documents, without them leaving the safety of the castle? To look, but not touch?

Well, it turns out there is! While it may well be impractical to start your own international parcel delivery company, it turns out there’s very little stopping a company, individual or organisation from hosting their data within their own premises (be it office or castle!), or with a trusted Collabora partner, essentially running the data-delivery company yourself, and crucially with Collabora Online, sending only images of the viewed parts of the document (not the complete file) to the end users, giving as much or as little editing access as they see fit. Operating more like a hyper-efficient remote desktop than a browser-based editor, user activity is processed by the server in real time, meaning the actual file data never leaves the safety of the server, so no amount of malicious malware, technical tomfoolery or pernicious postmen can extract it from a browser or device. Lost your company laptop? Who cares?! There is no company data on it anyway, and before any bad actors even start looking up your mother’s maiden name, your childhood best friend and what street you grew up on, with a click of a mouse, you can make sure your castle server never communicates with it ever again. Remote wipe if you feel like it, but there’s really nothing on the device!

Collaborative data protection by design and by default

You should use the state of the art solution

If that’s not data protection by design and by default, using state of the art technology, then we don’t know what is. It also remains very unclear how any other software provider intends to honestly address the pressing issue of data security or GDPR compliance, as evidenced by weekly reports of leaks and fines. Don’t sweep the problem under someone else’s rug, be state of the art with Collabora Online and take control of your data.

 

Six Reasons Why Collabora Online is the Best Microsoft Office Alternative

Richard Brock 2 Comments

Microsoft Office has led the office productivity market for many years, but is now no longer the only option for your online document editing. Collabora Online is perfect for businesses who are looking for a modern and secure workspace.

Here are six reasons why Collabora Online is the best Microsoft Office alternative:

1. Excellent interoperability with major (and minor) file formats

If you can’t work with the files, then you aren’t much use as a file editor. Fortunately Collabora Online provides excellent interoperability with a wide range of file formats. DOCX, XLSX, PPTX, we’ve got you covered. In actual fact, we have greater interoperability between our online and offline editor than even Microsoft’s desktop and online editors offer (more about this coming in a future post, watch this space!). So rest assured, you’ll still have access to that legacy Microsoft Works file you still have lying around. Got an unusual client who likes everything sent to them in .docm? Not a problem. Need to import a FlatXML spreadsheet? With Collabora Online, you’ll have all the interoperability you need for your modern, or indeed legacy working environment!

2. Digital security and sovereignty

Collabora Online offers distinct advantages over Microsoft Office from a digital sovereignty perspective. First and foremost, Collabora Online is an open-source solution, providing transparency and giving organizations full control over their software stack. This allows users to verify and modify the source code, ensuring data privacy and security. Additionally, unlike Office 365 which operates on a cloud infrastructure managed by a single provider, Collabora Online can be deployed on-premise or in a private cloud, enabling organizations to maintain complete sovereignty over their data. This level of control enables full compliance with data protection regulations and safeguards against unauthorised access. By choosing Collabora Online, you can prioritise your digital autonomy and protect your data.

3. Collaborate effectively with anyone you chose

The clue’s in the name! Collabora Online allows you to collaborate, co-edit, review and track changes, add comments, and share your documents securely. Furthermore, Collabora Online gives you a whole range of security and permission settings, enforced server side, to ensure your data and the content of your documents, is always protected.

4. Great platform availability and ease of use

Whether you’re a Mac, Windows or Linux user, or you like to edit on desktop, mobile or your favourite modern browser, Collabora Online is available to offer you freedom of choice. Also, unlike the familiar alternatives, our browser-based and desktop applications have full interoperability since they share a common codebase. No more glitches when you try and edit that slide show online that you just had on your laptop.

They say you can’t teach an old dog new tricks, and with Collabora Online you won’t have to. With a familiar user-friendly interface, you’ll feel right at home and can skip costly retraining that might come with other alternatives.

5. No more vendor lock-in

Have you noticed the inexorable rise of Microsoft’s pricing structure, or new changes nobody asked for? We certainly have. Break free from vendor lock-in with Collabora Online! Unlike other tech giants, with Collabora Online you’re not tied to any one service provider. Integrate our secure office suite into your own solution and infrastructure, or with any of our 200+ partners, paying for as many services as you require. Want to switch to a hybrid cloud solution or fully on-premise down the line? Not an issue with Collabora Online.

6. Exciting Community Spirit

Did you know that by joining Collabora Online, you’re joining a huge community? Collabora Online was born out of the open-source world, long before crowdfunding or crowdsourcing was a thing, and we’ve stayed true to our roots. Alongside Collabora Online, we also offer Collabora Online Development Edition (or CODE for short) allowing everyone to enjoy the latest features and provide feedback. This vibrant and engaged community fosters a collaborative environment where users, developers, and enthusiasts come together to contribute, share knowledge, and drive the evolution of Collabora Online. The CODE community offers an opportunity to help others through forums, mailing lists, and dedicated channels. Furthermore, this community-driven ecosystem provides opportunity for contribution to the enhancement and expansion of Collabora Online’s features, compatibility and performance, giving you access to a support network and bespoke solutions Microsoft Office users can only dream of.

We could go on, but suspect you’re getting the message. Collabora Online is the best alternative to Microsoft Office, and if you ask us, is better than the current market leaders. Try the demo today at: https://col.la/getonline