In our previous post, we delved into Collabora’s exciting collaboration with the German Federal Ministry of the Interior (BMI) and other partners on the groundbreaking openDesk project. Today, we’ll take a closer look at why Collabora Online, in particular, is an ideal fit for governments aiming to strengthen their digital sovereignty.
1. Bringing Real Pedigree
You might not have heard of Collabora Online until recently, but we are based on and are the world’s largest code contributor to LibreOffice, which traces its history back to 19851 (5 years earlier than Microsoft Office2). As mentioned in the introduction above, we are a core part of the German Government’s openDesk project, and are already used by many more authorities, both local and national.
With this history comes our long-running commitment to interoperability which means that governments can seamlessly integrate us into their existing IT ecosystems, whether they be document management systems, email clients, or cloud storage solutions. Unlike some of our larger proprietary competitors, it’s not ‘my way or the highway’ with Collabora Online.
2. No Hidden Tricks
Collabora Online is built on a foundation of open-source software, which aligns perfectly with the principles of transparency and openness that governments value. This ensures that governments have full access to the source code, allowing them to review, modify, and tailor the software to meet their unique needs. It’s the epitome of control and autonomy.
Furthermore, we are committed to long-term support and development. Governments can rely on a stable and continuously evolving office suite that adapts with their needs. As an open-source solution bringing zero risk of vendor lock-in, governments and civil servants also need not fear of having their data or certain functionality held ransom as is increasingly being seen in the adoption of granular subscription models3 .
3. Data Security and Privacy
Arguably this should have taken top spot on the list. Governments are rightly concerned about services that require exporting data to third-party companies operating in foreign jurisdictions (we’re looking at you Office 365/Teams). Whilst GDPR regulations are going some way to reduce extra-national jurisdictional questions (more on that here [link to GDPR post]), the only real solution for governments is to host their applications and data themselves, or with a local hosting service, an option unavailable from any other leading collaborative document editor.
Collabora Online brings real-time collaborative editing, twinned with the highest levels of security[security onion link] and on-premise hosting. Utilizing Collabora Online, governments can protect their data while collaborating effectively.
4. Cost-Efficiency
One of the top priorities for governments is to provide value-for-money services for their citizens. Collabora Online provides a cost-effective solution without compromising on quality. We allow governments to reduce licensing costs associated with proprietary software while still enjoying a full-featured and powerful office suite for document creation, editing, and collaboration.
Collabora Online isn’t just an office suite, we’re a partner in the quest for digital sovereignty. Public bodies worldwide are recognizing the importance of maintaining control over their digital infrastructure, and Collabora Online offers a robust and flexible solution that aligns with these goals. As we continue to work on the openDesk project and similar initiatives, Collabora reaffirms our commitment to supporting governments in their journey toward digital sovereignty.
As a leading open-source software company, we are thrilled to be part of a groundbreaking initiative that promises to revolutionize digital sovereignty in public administration. The openDesk project1, led by the German Federal Ministry of the Interior (BMI) in collaboration with a large team of open-source experts from Collabora, Dataport, Univention, OpenXchange, Nextcloud, XWiki, OpenProject, and others, promises to redefine the way governments interact with technology.
What is openDesk?
More than just a project, openDesk is a vision of digital freedom and self-determination for governments and organizations across Europe2. At its core, openDesk is a digital workplace designed to offer a holistic, open, and sustainable alternative to proprietary software. It’s about reducing dependencies on global tech giants and taking control of critical data.
As such, we are excited to play a crucial role in this ambitious endeavor. We are contributing our expertise to the openDesk project, as the leading provider of open-source office productivity software. Essential tools such as Collabora Online will empower public administration to work efficiently and securely while maintaining full control over their data.
An overview of all planned components for the basic release at the end of 20233
Why does openDesk matter?
We love a number of the principles behind the openDesk which align well with our mission, including but not limited to:
Digital Sovereignty: We want to put users such as governments in control of their technology infrastructure.
Open Source: The project relies on open-source software, emphasizing transparency and flexibility, and collaborating around the code in public, which is core to our business.
Collaboration: With multiple partners involved, openDesk showcases the power of collaboration in tackling large migration projects.
Serving Users: Building the openDesk reference implementation with the German Federal Ministry of the Interior and Community will enable us to bring Open Source to a large number of Government seats across Europe.
Our Involvement
Collabora Online is a vital part of the project because of our history deeply rooted within the open-source community. For years, we have been at the forefront of enabling organizations to break free from proprietary software and embrace open-source solutions, fostering digital sovereignty and independence. Additionally, Collabora Online’s foundation in LibreOffice, a renowned and extensively tested open-source office suite, brings an added layer of reliability and trust to the project.
Since government documents have typically been created using Microsoft Office, Collabora Online is an excellent choice for the new web office component of the openDesk platform due to our excellent interoperability with other document editors.
Documents migrated into openDesk should maintain a nearly identical look and equivalent functionality, and workflows to create and review documents must be similar enough to be comfortable and easily discoverable. Not content to sit back and relax however, we continue to work on this area with every iteration of Collabora Online.
What we’ve worked on
We are implementing a number of changes and updates to Collabora Online to further improve our integrations with other service providers, and better fit the specific requirements of the German government. Examples of these changes include new integrations with modules such as the Zotero citation and reference management tool, improved accessibility (for example our new dark mode or screen reader functionality), multi-page floating tables, compact pivot tables, multi-stop gradients, document navigation, and much more!
It is an exciting project to be part of, and we are thankful to the German government for their investment and partnership.
Looking Ahead
As openDesk progresses, it will offer European governments a true open-source alternative reference implementation, built with modularity, interchangeability, and interoperability in mind. While the initial release is planned for the end of 2023, this project is set to have a lasting impact on how governments approach digital technology.
We applaud the German Federal Ministry of the Interior and Community’s dynamic leadership in making this project a reality, along with Dataport’s support. Together with the other contributors to the project, Collabora is excited to be part of this journey towards digital sovereignty. Together we are working towards a more open, secure, and sustainable digital future for all.
Stay tuned for more updates on this exciting project!
Download the White Paper
Case Study
“OpenDesk – Collabora Online brings Digital Freedom to European Government “
1Previously known as the Sovereign Workplace project, not to be confused with the open-source furniture manufacturer of the same name
2openDesk is an open-source development project for public administration that was initiated by the Federal Ministry of the Interior and Community (BMI). The product creates a powerful open-source alternative to proprietary solutions in the digital workplace, tailored to the needs of public administration. The focus is on digital sovereignty, user friendliness and future viability. The openDesk workplace is browser-based and contains the necessary basic functions to support everyday digital business and work processes as well as virtual collaboration. Translated from original German – https://gitlab.opencode.de/bmi/souveraener_arbeitsplatz/info/-/blob/main/FAQ.md
Ensuring the utmost security of your documents and data is paramount. Collabora Online, a powerful document editing solution, goes above and beyond to fortify your security, providing you with a robust shield against potential threats. In this blog post, we’ll delve into some of the central security features that make Collabora Online the trusted choice for so many – including Seccomp BPF, Sparse File Systems, and Chroot. These are the pillars upon which our security stands. We’ll explore how these technologies work together to create a document environment that’s not only highly efficient but also exceptionally secure.
It is worth noting, in order to enact some these security measures, Collabora Online requires enhanced privileges to start with in order to limit access to the rest of a system. These are swiftly dropped after they are used to lock-down each document. This methodology may seem paradoxical at first, but we hope that in this post you will see why these widely-recognized industry-standard1,2 security layers, in fact bring about the greatest safety for your file storage and editing solutions.
Seccomp BPF
Seccomp BPF is a Linux kernel feature that enhances security by restricting the system calls a process can make3. This technology significantly reduces the total kernel attack surface, minimizing the risk of potential security breaches. It lets us shrink the access of Collabora Online document processes to system calls that have been problematic in the past4. All unexpected requests can then be instantly recognized as a malicious attack and cause immediate termination of the the relevant document process by the operating system.
One example threat that this eliminates would be an escaped application attaching a hand-crafted debugger (using the ptrace system call) to try and access data or disrupt other system operations. In this instance however, the use of ptrace or ‘kill’ system calls would be immediately recognized as illegitimate, not performed, the attempt logged, and the document immediately terminated.
As mentioned in the introduction, in order to provide this layer of protection, Collabora Online requires sysadmin capabilities, however these are rapidly dropped after startup, and provide one of the strongest security pillars. By enabling Seccomp BPF within Collabora Online containers, partners can rest assured that their document environment remains safeguarded from a whole set of malicious activities.
Chroot
Chroot, short for “change root,” is a mechanism that runs a process and its children within a confined directory, isolating them from the rest of the system. Integrating Collabora Online with chroot ensures that the application and its dependencies are enclosed within a controlled environment, minimizing the potential for conflicts with other software, and again ensuring any security breaches are isolated by default, greatly reducing the possibility of any system-wide disruption.
What this means in Collabora Online is that every document user is only able to access the document data served to them in the first instance, and cannot acquire access to the rest of the system files, or use the file-system to communicate or disrupt other documents. Similar to the way fire doors are used to prevent the spread of a fire through a building, except in this case the door is fireproof, and there is no key.
Sparse File Systems
Collabora Online has been optimized in many ways to streamline resource utilization whilst bolstering security measures at the same time. One key security optimization is the sparse file system setup.
With a sparse file system setup, Collabora Online minimizes its footprint by exclusively installing the libraries and fonts essential for operation. Unlike other installations that may include unnecessary elements, this streamlined approach both saves on system resource usage, and as with Seccomp BPF above, further reduces the potential system attack surface area.
Examples of exclusions from the Collabora Online chroot would be shell tools, or unnecessary device nodes. By heavily restricting access to system device nodes Collabora Online operates with a very limited set of resources, making it very difficult for any attack to develop within the system. Following on in the fire safety analogy, this would be like removing flammable materials from a building to prevent fires starting or spreading.
In order to remove unnecessary and potentially dangerous functionality from the Collabora Online chroot, enhanced privileges are required. As mentioned above however, this privilege is dropped rapidly after entering the chroot. By only incorporating the resources that are absolutely necessary, Collabora Online further fortifies your system against potential security breaches.
Sharing memory
So why does Collabora need its own containment system? In short – for memory efficiency.
Technologies like Copy on Write (COW) and virtual memory sharing are essential components of Collabora Online’s resource-efficient yet highly-secure environment. When documents are opened in Collabora Online, COW enables multiple users to safely share large parts of the same memory space. This seriously cuts down on time and system resource usage, since other than the content unique to each document, the majority of each Collabora Online instance can be shared.
Given the above warnings about chroot and sparse file systems, this might seem like we are contradicting ourselves, but in this case the reality is that the shared components are only ever framework components, and due to the way COW functions, the new document ‘sharing’ another’s settings has no access to the actual sensitive file data, nor even the ability to modify the shared data from the original file. The key to COW’s speed and efficiency, is that only if/when the framework data is modified (written – as in Copy on Write), is an actual copy created, and new bytes written.
So why bother? Because COW is perhaps analogous to utility supplies, or other public services provided to houses or offices. Not using COW, and re-building the framework data for every document, would be like building new power stations, water treatment works, gas storage facilities, hospitals, schools, train stations, bus stations and road networks for every single house. This is of course not done, and you don’t hear of businesses complaining about the security implications of sharing a water supply with the neighbours.
In the same way, virtual memory allows the majority of memory used to be efficiently shared between containers. The Linux operating system provides strict isolation mechanisms to prevent any write access to another user’s code or document data.
This strikes a well-optimized balance between resource usage and robust security, bringing down the un-shared data cost for each document from perhaps 300Mb to 25Mb. In this way, collaborative working in Collabora Online can remain efficient, all the while safeguarding the privacy and integrity of each user’s data.
Additional security practices
Document editors are substantial applications, and Collabora invests heavily in hardening the LibreOfficeKit core, which forms the foundation of Collabora Online, and comprises over 8 million lines of code. In addition to the security pillars outlined already, further rigorous measures are in place to uncover any issues. These include crash testing, use of COVERITY5, and aggressive fuzzing in partnership with Google’s OSS-FUZZ6.
Crash testing involves subjecting the software to various stress tests and scenarios to uncover vulnerabilities that could lead to crashes or security breaches. COVERITY, a sophisticated code analysis tool, is deployed to scrutinize the code base for potential flaws or vulnerabilities. Complementing these measures is aggressive fuzz testing, where the software is bombarded with a wide range of unexpected inputs to discover and rectify any weak points.
The size of the core code remains the top attack vector, and we work hard to ensure that no code can break out and execute inside the context of the document. This however is why the above protective layers are key to ensuring the highest levels of security for your document editing solution.
Is it just us?
System administrators are rightly cautious when alerted to requests for enhanced permissions, but the reality is that this remains one of the best ways to lock down an application. Google Chrome in Linux for example is also a set-uid program. Other server-side software like Jitsi or Postfix also doesn’t drop all capabilities for similar reasons. Other app containment and sandboxing systems such as Flatpak employ the same strategy of running with elevated privileges to employ specific security measures like Seccomp BPF and utilize sparse file systems. This approach, which ultimately limits the program’s reach and ensures that potential vulnerabilities don’t lead to widespread damage, is a widely recognized and accepted industry practice.
Conclusion
Collabora Online is architected from the ground up to safeguard your documents and data while providing a feature-rich and efficient document editing environment. Operating with enhanced permissions, Collabora Online will ensure you have the best security measures available at your disposal, making sure your digital workspace remains safely locked down.
If you give Collabora Online the permissions it needs to do the job well – you will be much safer.
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. As system calls change and mature, bugs are found and eradicated. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications.
Developers must never rely on client-side access control checks.1
With this simple statement, OWASP are putting a very big question mark over the head of any document editor that performs access controls in browser. So what is the big deal, and are client-side access controls really that bad? In this quick post, we’ll find out.
Distributing Data
What happens when a government employee views your tax records, the bank assesses your mortgage application, or your lawyers share documents regarding your case with each other? Depending on the application they are using, it turns out the first operation may well be for the server to make copies of the document for every editor or viewer, before sending the copies to each user’s device. In case it isn’t immediately obvious, this distributive flavour of document editing is extremely concerning for a number of reasons.
1. Lack of Server-Side Enforcement
As mentioned above, one of the core principles of OWASP regulations is enforcing security measures at the server-side. However, when full documents files are sent to the browser for editing, the server loses control over the data. This immediately undermines any ability to enforce security policy.
2. Vulnerabilities
If data files are sent with code to execute policy in the browser, then a malicious script, acting as a “browser” can simply download the document data and discard the policy logic. This exposes the data to potential cyber-attacks and data breaches. OWASP regulation 4.1.1 states this very simply as, “Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed”2, since “client-side logic is often easy to bypass”3. Whilst organisations rightly have training about whether secure USB sticks should or shouldn’t be used with company laptops, nobody is talking about the 3rd party access freely given by company servers to anything pretending to be a browser.
3. Duplicates
When dealing with sensitive (or arguably any) data, the last thing we should think about doing is photocopying it. TOP SECRET – EYES ONLY is a phrase we are familiar with from the world of spies and espionage, yet so often overlooked in the online world. We naively assume that this couldn’t be an issue with our document editor, yet with many services this is precisely what happens when we start a viewing session. Regulation 4.1.5 states developers should “Verify that access controls fail securely including when an exception occurs.” It’s impossible to imagine how any developer can possibly verify such a fail-safe system however when the one of the primary functions of a data centre is duplicating files before distribution to any user.
4. Data Sovereignty and Compliance
Many industries are bound by strict compliance requirements and regulations. Whilst the question of where large data centres are based is beginning to be understood and grappled with, many are overlooking the question of data stored in the cache of users’ browser. Call it what you want, but if this is the way your document editor functions, you are operating a series of international data centres. With just a few clicks and the magic password ‘F12’, the browser will show the cached documents straight away.
Conclusion:
Governments or organisations that handle financial records, medical information, intellectual property, or indeed any other data, need to carefully assess whether their document editor is operating in a manner consistent with their own regulations and OWASP guidelines. The implications of sending full copies of documents to every browser are many, and extremely questionable. Genuine server-side policy enforcement is the only way to maintain real security. Collabora Online sends a pixel based view of a document to the end user, whilst the full document data remains safely under your control.
V4.1 General Access Control Design
4.1.1 Verify that the application enforces access control rules on a trusted service layer, especially if client-side access control is present and could be bypassed.
4.1.2 Verify that all user and data attributes and policy information used by access controls cannot be manipulated by end users unless specifically authorized.
4.1.3 Verify that the principle of least privilege exists – users should only be able to access functions, data files, URLs, controllers, services, and other resources, for which they possess specific authorization. This implies protection against spoofing and elevation of privilege. (C7)
4.1.4 [DELETED, DUPLICATE OF 4.1.3]
4.1.5 Verify that access controls fail securely including when an exception occurs.
Accessibility isn’t just a matter of compliance, it’s a commitment to fairness. When content is accessible, it becomes a bridge that connects people, regardless of their circumstances. For instance, individuals with visual impairments can have text read aloud to them through screen readers, while keyboard shortcuts enable those with mobility limitations to navigate without a mouse. Furthermore, it is our firm belief that improvements in document accessibility can be win for everyone, impaired or not.
As such, at Collabora Online we are committed to bringing the best digital experience we can to all our users, and with our latest release are one step closer to making inclusivity a reality for every individual, regardless of their abilities or challenges.
Screen Readers
One of the key features of document accessibility is that documents are readable by screen readers. Screen readers are software programs that read text aloud for people who are visually impaired. To make a document accessible to screen readers, it must be structured in a way that is readable by the software. This includes using headings, lists, and tables to organize the content in a logical and easy-to-understand way.
In order to further improve document readability, we have added an accessibility checker which will highlight areas that require improvement, both adding to a document’s structure and logical flow, as well as flagging specific issues for screen readers.
Additionally, we’ve introduced a new feature that allows screen readers to access menus and dialogs. This change will make it easier for those with visual impairments to navigate and interact with their documents through text-to-speech or braille displays. With our new initial screen reader support, we’re working to ensure that no one is left behind in a digital world.
Keyboard Shortcuts
Another important feature of document accessibility is that documents can be used with only a keyboard. Some users may not be able to use a mouse, so providing keyboard shortcuts and making sure that all controls and links can be accessed with keyboard commands is essential to ensure access for all.
The latest 23.05 release also brings an improvement to our previously existing keyboard shortcut interface, enhancing the user experience for all Collabora Online users.
Dark Mode
The introduction of Collabora Online’s Dark Mode UI isn’t just a stylistic choice, it’s another step towards enhancing visual accessibility and user comfort. Dark Mode has been carefully designed to alleviate eye strain and mitigate other visual accessibility issues that users may face. By reducing the overall brightness and minimising glare, Dark Mode creates a more soothing and comfortable environment for extended periods of document creation and collaboration. We plan to work on low contrast themes next.
Benefits for Everyone
Improving online accessibility is beneficial for everyone by providing a better, more logical and usable user experience. Documents with a clear structure that are easier for screen readers to understand, will also be more easily read by those who do not require screen readers. In the same way, clearer user interfaces, with intuitive shortcuts, will help everyone who is writing, editing, or reading a document. With this attitude in mind, we are very pleased with the latest improvements to Collabora Online, and are confident that as we seek to make Collabora Online more accessible to those with the biggest challenges, we are at the same time improving the experience of all.
Stay tuned over our next releases to see the continuous improvements in accessibility for all.