
SecureDrop – An open-source whistleblower submission system - spaceboy
https://securedrop.org/
======
eganist
For those who don't know Garrett Robinson (who heads SecureDrop's
development), he's been extremely dedicated to user privacy issues and first
amendment concerns. I may occasionally differ from his views, but I admire the
passion he's poured into both his work at Mozilla and into SecureDrop.

[https://freedom.press/people/garrett-
robinson/](https://freedom.press/people/garrett-robinson/)

------
hackuser
SecureDrop uses Tor Browser, as do many other public interest security
solutions. However, a respected security expert here on HN recently said of
Tor Browser:

 _the Tor Browser might be the least safe browser to use of all available
browsers that can be installed on modern computers. It is a perfect storm of
"inferior security design" and "maximized adversarial value per exploit dollar
spent". / Don't use Tor Browser._

He recommends Chrome (presumably over the Tor network). I tend to believe the
expert, because IME real security expertise (as opposed to technically
sophisticated people reading about security and trying to DIY) is rarely
utilized and applied even by prominent organizations and projects. But I wish
someone would reconcile all of this.

EDIT: Some clarifying edits

~~~
mtgx
I disagree. Tor/Firefox do indeed have significantly worse security (right
now), but that can be mostly mitigated by using easy-to-use third-party
sandboxing tools (Sandboxie, Firejail, a VM).

For Linux, there's now a "hardened" version of the Tor browser as well (still
alpha, I believe), and if you really care about this, you can also use TAILS,
Qubes/Whonix, etc. It would probably be best not to use Windows if you want to
be anonymous anyway (certainly not Windows 10, which looks like it was
designed after a law enforcement wishlist - there are probably _dozens_ of
ways in which law enforcement can identify you by using Windows 10's tracking
"features").

I don't think there's a way to "easily" make "Chrome over Tor" anonymous and
private...

~~~
indolering
> I disagree. Tor/Firefox do indeed have significantly worse security (right
> now), but that can be mostly mitigated by using easy-to-use third-party
> sandboxing tools (Sandboxie, Firejail, a VM).

Now that they have moved to multi-process Firefox, they can finally start
sandboxing everything. There are already plans in place to start reusing
Chrome's sandboxes profiles.

> I don't think there's a way to "easily" make "Chrome over Tor" anonymous and
> private...

You literally have to fork the browser, they won't maintain the internal APIs
required by the Tor team. Hell, they refuse to respect basic SOCKS5 proxy
settings [0].

[0]:
[https://trac.torproject.org/projects/tor/wiki/doc/ImportantG...](https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChromeBugs)

------
tptacek
This is a trivial Flask file uploading application, with a "code name"-based
feedback system, wrapping GnuPG's Python bindings, intended to be run on Tor.

The security it provides is marginal, but it's so simple that it's not the
part of anyone's stack that's most likely to be compromised.

I think a significantly better version of this could be built. What makes
doing that tricky is that you want to retain the almost hello-world simplicity
of this app, because the big reason _not_ to run something like this is the
likelihood that the server itself will have flaws.

On the other hand, it's 2017, and you can also accept files over secure
messengers.

 _Later_

Amusingly, people seem to think that these are bad things to say about an
application like SecureDrop.

~~~
jashkenas
We currently offer SecureDrop as one of the ways folks are offered to send in
tips to The New York Times.

[https://www.nytimes.com/tips](https://www.nytimes.com/tips)

    
    
        > I think a significantly better version of this could be built. What makes doing that tricky [...]
    

Would you mind describing, in a few broad strokes, what a better SecureDrop
would look like? What would be the main potential changes and improvements?

~~~
tptacek
Yeah, I'll do that. Let me run thoughts past some other people first.

------
h4waii
SecureDrop is also in use by CBC, a publicly-funded National broadcaster in
Canada, and is actually implemented and managed properly -- regardless of the
quality of SecureDrop itself.

[https://securedrop.cbc.ca/](https://securedrop.cbc.ca/)

The gateway site is only accessible over HTTPS, then it's to an .onion via a
link to Torbrowser, and mentions of TAILS, all caveats with using the stated
software applies though.

~~~
kyboren
CBC should not host that site on such a distinctive subdomain, as the hostname
"securedrop.cbc.ca" will leak in the clear during the TLS negotiation. It
would be far better to host the same content at, say,
[https://cbc.ca/securedrop](https://cbc.ca/securedrop).

------
benwikler
RIP Aaron Swartz, who originally built this. He'd be 30 now.

~~~
saycheese
Highly suggest anyone that has not watched "The Internet's Own Boy: The Story
of Aaron Swartz" take the time to watch it:

[https://m.youtube.com/watch?v=gpvcc9C8SbM](https://m.youtube.com/watch?v=gpvcc9C8SbM)

RIP Aaron

~~~
jeron
non-mobile link:
[https://www.youtube.com/watch?v=gpvcc9C8SbM](https://www.youtube.com/watch?v=gpvcc9C8SbM)

------
secfirstmd
Also worth shouting out to Global Leaks, a similar sort of system with some
interesting other features.

[https://www.globaleaks.org](https://www.globaleaks.org)

~~~
hackuser
What is the basis for thinking it's secure?

~~~
secfirstmd
Excellent team of people. Widely used. Code audits etc etc

[https://github.com/globaleaks/globaleaks/wiki](https://github.com/globaleaks/globaleaks/wiki)

------
unicornporn
Do not forget [https://onionshare.org/](https://onionshare.org/)

An excellent alternative to SecureDrop. At least so it seems...

~~~
hackuser
What is the basis for thinking it's secure? Anyone can write an app and then
type the characters "s-e-c-u-r-i-t-y" in the description.

~~~
greggh
Coded by Micah F. Lee of the free press foundation. Pretty well respected
member of the community and all around great guy.

~~~
hackuser
Thanks. For my and others' reference, is Mr. Lee an IT security professional?
I don't mean to disparage those who aren't (I'm not), but in the end security
comes down to trusting the expertise, execution, and intentions of the
developers - and he sounds good for the latter two, based on what you say.

------
saycheese
Recently review the SecureDrop and was suprised how many main stream media
companies to not provide a way for leakers to safely leak information to them.

~~~
CM30
No kidding. Seems like only a few of the largest media outlets provide
SecureDrop or a similiar alternative, and that number quickly drops to zero
when you move from general mainstream media to more specialised stuff (tech,
sports, gaming, music, etc).

Most don't even provide more than a simple contact form or email address...

------
mindslight
Tangential and more applicable to a different style of leak, but I'd be
interested in seeing the development of some protocol ideas for authenticating
leaks to gain confidence the leaker is actually within a given organization.
Otherwise we're left not knowing if a casual leaker is for real or just
entertainment twitting.

One rough idea is that large organizations make specific press releases or
announcements, that a precommitment could demonstrate privileged access to.

Another idea would be inclusion of some internal communication, which other
members of the organization could confirm. This would require those other
members to be sympathetic to the leaking, and also not worried about reprisals
for speaking publicly like so. This probably isn't useful on its own, but the
basic mechanism could be combined with other means to derive utility without
public attestation.

The biggest issue is (of course) an adversarial organization subtly changing
to-be-published information, to sniff out the actual leaker. Which is why I'm
envisioning the need for some formality that could quantify and mitigate such
leakage.

------
amelius
Is this based on Tor? Or are whistleblowers expected to use Tor on top of
this?

~~~
corobo
> Each Source Interface is only available as a Tor Hidden Service, which is a
> special type of website with an address ending in ”.onion” that is only
> accessible through Tor. Tor is an anonymizing network that makes it
> difficult for anybody observing the network to associate a user’s identity
> (e.g. their computer’s IP address) with their activity (e.g. uploading
> information to SecureDrop).

From
[https://docs.securedrop.org/en/latest/source.html](https://docs.securedrop.org/en/latest/source.html)

------
benevol
I'm not sure the problem is a lack of leaking solutions that we can trust,
especially as long as WikiLeaks is around.

The problem I see is that there will be no more important leaks:

a) Given how around 50% the US population was brainwashed by government and
media into believing Snowden is a traitor,

b) Given the fact that America has elected a president who wants Snowden
executed,

c) Given that the NSA has locked down their systems completely since Snowden's
revelations.

Who would want to take these risks to leak anything just to be put on "the
list" by their own country and People?

If Snowden's leaks were not enough to get people thinking then the only thing
that will is serious pain and suffering. And that is what I personally expect
to come (for the lower and middle class, at least).

~~~
haikuginger
> I'm not sure the problem is a lack of leaking solutions that we can trust,
> especially as long as WikiLeaks is around.

You still trust WikiLeaks?

~~~
benevol
As long as Assange is in control, absolutely. Currently, nobody beats the
level of commitment that people like Assange and Snowden have proven.

------
eptcyka
If a site like this doesn't yell at you for accessing over just https and not
tor, you can only expect it to be run by three or four letter agencies.

------
elcct
One could use Bitmessage for leaks - just create a channel and let people
publish data to it.

[https://bitmessage.org/wiki/Main_Page](https://bitmessage.org/wiki/Main_Page)

~~~
dokument
Came here to say this. You could just publish to the general chan. However,
bitmessage is no good for distributing data. It would be good for distributing
how to get that data (torrent magnet, mega.nz link, encryption key, etc).

