
SecureDrop - brianmwaters_hn
https://ssl.washingtonpost.com/securedrop
======
FiloSottile
If the leaker visits this page before opening the Tor Browser from a regular
browser to copy the onion url, the whole thing is as safe as SSL as there will
be a trail of the SSL connection just before the visit to SecureDrop. And they
don't even explain to avoid it.

OPSEC is hard.

~~~
handsomeransoms
(Securedrop dev here) This is a really good point. Unfortunately, we're "as
safe as SSL" no matter what, unless the source has a separate way to verify
the .onion address on the SSL-protected page. They can use the SecureDrop
directory for that (and we're working on other schemes as well), but it's not
automated so only a handful of very cautious sources would likely do this.

I'm not sure how we could explain to avoid it - where would the explanation
go? Visiting that page would be just as much of a correlation, no? It's kind
of a chicken and egg problem, unless the source is already using Tor.

Avoiding the "trail of the SSL connection" also suggests we should be doing
something to combat website fingerprinting, which we have discussed but do not
have a clear solution for yet.

Our current thinking is that just visiting the landing page is not enough to
prosecute a source. We can do better, and are working on it, but it's
difficult.

~~~
sandstrom
A few things that may be helpful:

1\. Make the entire site available under `ssl.washingtonpost.com` (ideally
without the `.ssl` prefix).

That way, the domain won't be as suspicious as it is right now. I suspect that
this is more or less the only content hosted on the domain.

2\. Include an iframe for all (or a random subset of) visitors, loading this
particular url (hidden).

By artificially generating traffic to the endpoint it will be harder to
distinguish these from other, 'real' requests.

Use a random delay for adding the iframe (otherwise the 'pairing' with the
initial http request may distinguish this traffic).

3\. Print the link, url and info block on the dead trees (the paper), as other
has suggested.

4\. Add HSTS headers
([http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security))

~~~
vhost-
Also, if you can swing
[https://washingtonpost.com?page=securedrop](https://washingtonpost.com?page=securedrop),
the request will just look like it's to
[https://washingtonpost.com](https://washingtonpost.com) since query
parameters are encrypted with ssl.

~~~
improv32
So is the rest of the URL, it could just as well be
[https://washingtonpost.com/securedrop](https://washingtonpost.com/securedrop)

~~~
vhost-
Oh right, paths are too. Sorry!

------
esonderegger
If anyone from WaPo visits here, you've got some typos on that page:

"Download and install the Tor browser bundle from Download and install the Tor
browser bundle from
[https://www.torproject.org/"](https://www.torproject.org/") should be
"Download and install the Tor browser bundle from
[https://www.torproject.org/"](https://www.torproject.org/")

"You will be provided with a codename that you will use it to log in to check
for replies from The Post." should not have the word "it".

Otherwise, great work! I'm really glad that you're doing this and featuring it
prominently on your home page.

------
hackuser
I worry that the Washington Post has unintentionally created a honeypot for
leakers. I wonder if the Post has the resources to sufficiently secure it:

The requirement for security is to make successful attacks more expensive than
they are worth for the attackers. (There is no perfect security, of course.)

How much is information leaked to the WP worth? It's information that can
change the course of history; it could make war or peace; it could be worth
billions or even trillions of dollars; it could simply change the course of
the stock market or of one stock and be worth billions to an individual.

If I ran a state intelligence service, with the fate of my nation and all my
citizens in my hands, I would be irresponsible not to invest in monitoring the
Washington Post (and the NY Times, and others') "secure" tip line. If I ran an
unscrupulous business, it would be worth it, if only for the information
relevant to the stock market. EDIT: Also, the information can change the
course of elections and be a target of unscrupulous politicians.

I find it hard to believe that the Washington Post or any news organization
has the resources to protect assets that valuable.

------
dewey
In case you don't have Tor installed and want to know what it looks like:
[https://imgur.com/GbwKfuG,D2aWi25,glApNg3](https://imgur.com/GbwKfuG,D2aWi25,glApNg3)

~~~
toni
Very refreshing to see a big, red warning in the screenshot about the fact
that Javascript is _enabled_! Usually you see the same thing when Javascript
is disabled, asking you to enable it.

~~~
handsomeransoms
(SecureDrop dev here) Glad you like it! It's hard to tell people who get
excited about fun UX ideas that they can't use JS, but from my experience as a
browser security engineer, eliminating JavaScript (and plugins, which the TBB
does already) dramatically reduces the browser's (unfortunately enormous)
attack surface.

~~~
toni
Agreed with you completely. Every time a new web app is posted to HN and it
doesn't work without enabling Javascript, a small circle of security-conscious
people complain about it. The responses from other people are in the lines of:

 _" Are there really people that browse the internet without enabling
Javascript in 2014?"_

 _" Well, 0.01% of your users have Javascript disabled, you can safely ignore
them"_

 _" Javascript is an important part of the web, if you have it disabled, you
have no right to complain"_

We need more people like you to advocate secure browsers without using
Javascript.

------
noso
The Guardian has also released a secure drop platform:

[http://www.theguardian.com/technology/2014/jun/05/guardian-l...](http://www.theguardian.com/technology/2014/jun/05/guardian-
launches-securedrop-whistleblowers-documents)

[https://securedrop.theguardian.com/](https://securedrop.theguardian.com/)

~~~
pcl
This is a different deployment of the same product [1]. Which, incidentally,
was originally created by Aaron Swartz. The Wikipedia page[2] has a list of
well-known deployments.

[1]
[https://pressfreedomfoundation.org/securedrop](https://pressfreedomfoundation.org/securedrop)

[2]
[http://en.wikipedia.org/wiki/SecureDrop](http://en.wikipedia.org/wiki/SecureDrop)

~~~
aroman
Thanks for pointing that out. I just watched "The Internet's Own Boy", the
documentary about Aaron, and it is positively incredibly how many projects
Aaron created or played a critical role in creating. An unthinkable shame that
he left us so soon — one can only imagine all the things he had left to
create.

------
blauwbilgorgel
Does anyone know what the codenames are like? If they are easy enough to
remember, then they may be easy enough to brute-force?

I think this is a great concept, yet perhaps too little, too late (Journalists
should know PGP and drop boxes like these should have been common already). I
also worry a bit because of Washington Post's track record with leaks, of the
top of my head:

\- Washington Post was Snowden's first choice, but they put up enough demands
for Snowden to move to The Guardian. [1]

\- Washington Post, according to Assange, had access to the "Collateral
Murder" video a whole year before WikiLeaks published their edited video. [2]

\- Washington Post employs op-ed columnists that call for assassination of
"criminally dangerous" leakers like Assange [3]

[1] [http://nymag.com/daily/intelligencer/2013/06/nsa-leaker-
shop...](http://nymag.com/daily/intelligencer/2013/06/nsa-leaker-shopped-his-
story-around.html) [2]
[http://www.abc.net.au/foreign/content/2010/s3040234.htm](http://www.abc.net.au/foreign/content/2010/s3040234.htm)
[3] [http://www.washingtonpost.com/wp-
dyn/content/article/2010/08...](http://www.washingtonpost.com/wp-
dyn/content/article/2010/08/02/AR2010080202627.html)

EDIT: More information on SecureDrop:
[https://pressfreedomfoundation.org/securedrop](https://pressfreedomfoundation.org/securedrop)
and source here:
[https://github.com/freedomofpress/securedrop](https://github.com/freedomofpress/securedrop)

~~~
handsomeransoms
Securedrop dev here. We tried to balance the memorizability of codenames (aka
Diceware passphrases) with their length. The current minimum length is 8 words
from a list of 6969 words, so you get math.log(6969 __8, 2) = 102 bits of
entropy, which is quite good. Additionally, the codenames are stretched with
scrypt with affords an extra (approx.) 14 bits of entropy (that 's our current
work factor).

We are continuing to discuss and debate this trade-off. Other ideas welcome!

------
peterwwillis
Tor hidden services are not bulletproof. Just as a really simple example, you
can do network traffic analysis to find network nodes with one-way traffic to
hosts without a correlated public service and deduce if a hidden service is
nearby.

There are several exploits which have been used in the past to expose Tor
hidden services, and several papers on theoretical ways to expose them. Many
of these attacks can be used in reverse to expose the origin of a connection
to a hidden service.

In the [not so] extreme case, the govt can always issue a National Security
Letter to WaPo and scoop up any data it wants directly from the hidden service
servers, similar to its Silk Road and Freedom Hosting takedowns.

The FBI TOR Exploit [ [http://resources.infosecinstitute.com/fbi-tor-
exploit/](http://resources.infosecinstitute.com/fbi-tor-exploit/) ]

Heartbleed used to reveal Tor hidden services [
[https://blog.torproject.org/blog/openssl-bug-
cve-2014-0160/](https://blog.torproject.org/blog/openssl-bug-cve-2014-0160/) ]

Hot or Not: Revealing hidden services by their clock skew [
[http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf](http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf)
]

Tor Hidden Service Passive De-Cloaking [ [http://blog.whitehatsec.com/tor-
hidden-service-passive-de-cl...](http://blog.whitehatsec.com/tor-hidden-
service-passive-de-cloaking/) ]

------
angry_octet
If all Post correspondents used SecureDrop to submit their stories that would
be a start.

One would have to assume that all the traffic going to the server is logged by
the NSA and anyone else who can manage it. If the traffic volume is low then
timing correlation with even a large pool of suspects is simple. An active
attacker can differentiate between the SSL connection from a web browser and
one from a tor node, so the background SSL traffic to the Post would not
provide cover.

I think it could be improved by using a mix network (eg mixminion) accessed
over tor, rather than just tor.

Unfortunately the mixmaster/mixminion networks are currently too small to
provide meaningful complexity. Large scale adoption by, eg, newspapers, is not
technically hard and would significantly complicate the adversary problem.

I'd love to see more discussion of bitmessage and Pond
([https://pond.imperialviolet.org/](https://pond.imperialviolet.org/))

cf [http://www.syverson.org/](http://www.syverson.org/)

------
DustinCalim
This is brilliant, and a smart move for the WP, despite some of the
criticism's below. I think it's a much needed, if romantic, idea that harkens
back to the transparency of Wikileaks, and gives WP a great little heads up
over some of the other papers. I wouldn't be surprised to watch the others
follow suit soon.

------
tlrobinson
Random question: has anyone attempted to build a Tor-like system (or bridge to
the actual Tor network) using WebRTC?

Assuming you were able to avoid the "JavaScript crypto problem", would this be
a good or bad idea?

------
hadoukenio
Sometime in the near future, I predict that the US will require some form of
photo I.D before using an internet kiosk. As usual, the spin will be to
protect the children.

~~~
taco_john
USA is pretty low on the list of countries I could imagine implementing
something like this. Given Russia's, China's, and a large portion of SEA
countries' internet censorship track records...

~~~
sspiff
I'd put the USA pretty high on that list. They've implemented plenty of their
take-downs over the past year, and are more capable of introducing something
like this than any SEA state.

~~~
untog
I think many people living in the US are unaware of just how bad the rest of
the world has it, sometimes.

~~~
enraged_camel
That's not the point at all. The USA claims to be a bastion of democracy and
freedom. Therefore it has significantly higher standards to live up to than
countries like Russia and China.

------
dan_bk
If you depend on your anonymity, do _not_ use Tor.

------
lnanek2
Wow, Tor is still a thing? We have confirmation that security agencies have
taken over exit nodes and injected spyware before to track targets. I'm
surprised anyone uses it. It's like the security lottery.

~~~
meowface
The NSA leaks reveal that for the most part, Tor is still secure if you're
using a sufficient number of intermediary nodes.

If anything, the real concern here is the implicit encouragement to use local
library computers, which would be much easier for a government agency (or
cybercriminal) to infect with malware and observe.

~~~
handsomeransoms
(Securedrop dev) That's not an implicit encouragement, despite it being your
interpretation. Library computers, in my experience, do not typically allow
you to install software on them, such as the Tor Browser Bundle, which is
needed to access SecureDrop.

The explicit encouragement that is clearly written on the landing page is to
use a personal computer (not a work computer) and a public network (e.g. a
coffee shop).

~~~
meowface
Apologies, you're completely right. I think I got that impression from
something someone else said in this thread.

