Hacker News new | past | comments | ask | show | jobs | submit login
SecureDrop – An open-source whistleblower submission system (securedrop.org)
343 points by spaceboy on Feb 15, 2017 | hide | past | favorite | 78 comments



For those who don't know Garrett Robinson (who heads SecureDrop's development), he's been extremely dedicated to user privacy issues and first amendment concerns. I may occasionally differ from his views, but I admire the passion he's poured into both his work at Mozilla and into SecureDrop.

https://freedom.press/people/garrett-robinson/


SecureDrop uses Tor Browser, as do many other public interest security solutions. However, a respected security expert here on HN recently said of Tor Browser:

the Tor Browser might be the least safe browser to use of all available browsers that can be installed on modern computers. It is a perfect storm of "inferior security design" and "maximized adversarial value per exploit dollar spent". / Don't use Tor Browser.

He recommends Chrome (presumably over the Tor network). I tend to believe the expert, because IME real security expertise (as opposed to technically sophisticated people reading about security and trying to DIY) is rarely utilized and applied even by prominent organizations and projects. But I wish someone would reconcile all of this.

EDIT: Some clarifying edits


The Tor Browser folks have talked about this a little bit under

https://blog.torproject.org/category/tags/chrome

although I'm not sure if there's been a big recent summary on this. One way to put it, akin to things other people have said in this thread, is that Chromium is tougher to customize, less cooperative upstream, and somewhat worse for specific technical user-tracking issues. Tor folks are very, very worried about cross-site and cross-session linkability attacks and tend to put a lot of technical effort into mitigating those.

tptacek's point in the other thread (that you're quoting) is about exploit mitigation, where Chromium is doing better, partly because they hired a lot of super-great people to work primarily on that (and also are paying pretty big bounties), and also because their architecture makes it easier in the first place.

So the Tor Browser work has focused a lot on stopping sites from recognizing you, while they're not working as hard or doing as well on stopping sites from hacking you, which they might then use to deanonymize you by making you send clearnet traffic, or even to exfiltrate files from your computer. (Also, for visiting non-HTTPS clearnet sites over Tor, the exit nodes and their ISPs are in a position to perform these attacks.)

The situation for SecureDrop instances might be safer than for other hidden services because they're probably more professionally run and carefully monitored, and use better-audited and simpler user-facing code, among other reasons, but then again this might not be true because they're also potentially exciting and interesting targets.


I disagree. Tor/Firefox do indeed have significantly worse security (right now), but that can be mostly mitigated by using easy-to-use third-party sandboxing tools (Sandboxie, Firejail, a VM).

For Linux, there's now a "hardened" version of the Tor browser as well (still alpha, I believe), and if you really care about this, you can also use TAILS, Qubes/Whonix, etc. It would probably be best not to use Windows if you want to be anonymous anyway (certainly not Windows 10, which looks like it was designed after a law enforcement wishlist - there are probably dozens of ways in which law enforcement can identify you by using Windows 10's tracking "features").

I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...


> I disagree. Tor/Firefox do indeed have significantly worse security (right now), but that can be mostly mitigated by using easy-to-use third-party sandboxing tools (Sandboxie, Firejail, a VM).

Now that they have moved to multi-process Firefox, they can finally start sandboxing everything. There are already plans in place to start reusing Chrome's sandboxes profiles.

> I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...

You literally have to fork the browser, they won't maintain the internal APIs required by the Tor team. Hell, they refuse to respect basic SOCKS5 proxy settings [0].

[0]: https://trac.torproject.org/projects/tor/wiki/doc/ImportantG...


> that can be mostly mitigated by using easy-to-use third-party sandboxing tools (Sandboxie, Firejail, a VM)

We also need solutions for typical end users. In the case of SecureDrop, the users will include people with near-zero technical capability, and little time or motivation to learn something new.


You need to disable WebRTC, WebGL, Canvas and a bunch of other things if you're going to use Chrome/Chromium with Tor

There is no good solution at the moment - one lacks security while the other lacks privacy.


None of this stops browser fingerprinting completely. Browser fingerprints can be extracted from just using canvas calls.


Browser fingerprints can be largely extracted from fairly fundamental JS DOM/CSSOM APIs, you don't need to get into anything nearly as easily-disabled as canvas. (For one, start by measuring metrics of a list of several hundred fonts to detect their presence: that's just simple CSSOM operations.)


I'm not sure what the state of the art is, but I know canvas calls offer very rich fingerprints that almost no one disables.

But this was more concerning the "webgl" disabled bit.


Well, the act of using Chrome itself on Tor is many bits towards a unique fingerprint

WebRTC is because of IP leaks via peer connections

We really need a build of chromium that removes the fancier web tech and integrates privacy features of Tor BB

Its just a lot of work to maintain - but a fork of chromium that is a little behind upstream is safer than FF


But this can largely mitigated by switching off Javascript. I am not sure whether this is possible in Chrome, in Firefox that is easy. This might be one of the reasons that the Tor browser bundle uses Firefox over Chrome.


I dont really understand the issue with browser fingerprinting. Yes in theory it can uniquely identify you but only if your browser fingerprint never changes. Everytime I go to one of these "are you unique?" websites, I am a new guy to them.


Many aspects of your computer end up in browser fingerprinting. So even if you do end up using multiple browsers temporal coupling and secondary signals may let observers make a (low-confidence) link to you.


I am not talking about multiple browsers. I use the same browser all day and my fingerprint still changes constantly, for many obvious reasons. The browser updates itself, I add extensions, etc. So browser fingerprinting seems like a really bad way to identify people uniquely. Using multiple different browsers just adds to that even more.


It appears that you do not understand the basics of how this works: even if the print changes in an absolute sense what does not change is that many bits from one print to another are constant. Those are the bits that matter, and if there are enough of them then they can be used to track you across sessions, even across session using Tor and sessions not using Tor.

Tie that all together and it may very well be possible to tie an upload using the Tor network to a particular user visiting some random website at a later date.

You're leaking bits all the time and not all that many of them are required to uniquely identify you.

See https://33bits.org/ for an easy to consume introduction.


Okay I see, so somebody has to keep a massive database of all the fingerprints and constantly keep trying to cross reference every browserprint with every other browserprint. Doesnt seem like an exact science but I get that it's technically possible to find some matches.


If you spin up a new docker container on a server hosting provider and run your desktop from there your browser is untainted fresh each session so no fingerprints


> However, a respected security expert here on HN recently said of Tor Browser

The Chrome browser doesn't respect SOCKS5 proxy settings, lacks stream isolation, and has other all sorts of built in identifiers. There is a reason the Tor team hasn't switched to using Chrome!


Could you cite with a link to the actual comment?



This is a trivial Flask file uploading application, with a "code name"-based feedback system, wrapping GnuPG's Python bindings, intended to be run on Tor.

The security it provides is marginal, but it's so simple that it's not the part of anyone's stack that's most likely to be compromised.

I think a significantly better version of this could be built. What makes doing that tricky is that you want to retain the almost hello-world simplicity of this app, because the big reason not to run something like this is the likelihood that the server itself will have flaws.

On the other hand, it's 2017, and you can also accept files over secure messengers.

Later

Amusingly, people seem to think that these are bad things to say about an application like SecureDrop.


We currently offer SecureDrop as one of the ways folks are offered to send in tips to The New York Times.

https://www.nytimes.com/tips

    > I think a significantly better version of this could be built. What makes doing that tricky [...]
Would you mind describing, in a few broad strokes, what a better SecureDrop would look like? What would be the main potential changes and improvements?


Yeah, I'll do that. Let me run thoughts past some other people first.


SecureDrop isn't just an application, it also encompasses the infrastructure setup and opsec procedures required for the submission system to function securely.


+1 It also teaches the receiving end how to receive, and work with sensitive materials in a more secure way. That has actually been the hardest part of the implementation we did; teaching the journalists how to treat the material received. We also tried to create a fairly informative page for the tipsters https://www.dn.no/staticprojects/2016/12/securedrop/ (in Norwegian)


Agreed on unnecessary complexity, but it's not a trivial app. Quick scrolling through sources and we see dozens of endpoints and each is potentially vulnerable.

Trusting the server, developers, Flask (which is by no means a good choice for secure app, my word) etc... messengers is a better option for sure.


The endpoints don't do much, the app delegates most of its functionality to very well-known Python libraries, there's minimal backend, no account system... it's a pretty auditable piece of code. If you can't get a handle on the security of this thing, there's no web app you can get a handle on.


There is account system too - journalists got passwords, sources got "code names"

Not huge, but much more complicated than it could be. For instance, it redefined CSRF protection in a weird way https://github.com/lepture/flask-wtf/blob/master/flask_wtf/c...


Securedrop is used by NYT-level companies. I thought using it is a no-brainer for any news media. Now I am having doubts :((


Over complicated doesn't mean insecure, but the less code the better


OT: homakov and tptacek in the same thread <3


> I think a significantly better version of this could be built.

I'd encourage you to help build a better version.


I think people think I'm saying something I'm not. The point of that paragraph isn't that SecureDrop is terrible; it's that attempts to improve it need to be mindful of the fact that SecureDrop's simplicity is an important part of why it's considered safe to run. The point is that there are a bunch of "features" you could add to this, including things that might ostensibly improve privacy and safety, but that you don't necessarily want to adopt a more complicated version of it.


I don't disagree at all! I admit, the comment you replied to of mine was lazy. Let me expound:

You have a wealth of security experience. SecureDrop is an essential piece of infrastructure in today's reality. It would be beneficial if you contributed your experience as time permits and where applicable to ensure it remains secure if (when?) its functionality is extended.

Features are nice; remaining secure is mandatory.


Some of us are already talking to Garrett, who is plenty clueful on his own. :)

I think the misunderstanding (if it exists) is my fault, though; rereading, I probably shouldn't have used the word "significantly". I'll try to avoid adjectives first thing in the morning moving forward.


Could you elaborate on what you consider lacking?


Privacy and security?


> Amusingly, people seem to think that these are bad things to say about an application like SecureDrop.

People don't seem to understand what trusted-computing-base actually means.


[flagged]


We've banned this account.


SecureDrop is also in use by CBC, a publicly-funded National broadcaster in Canada, and is actually implemented and managed properly -- regardless of the quality of SecureDrop itself.

https://securedrop.cbc.ca/

The gateway site is only accessible over HTTPS, then it's to an .onion via a link to Torbrowser, and mentions of TAILS, all caveats with using the stated software applies though.


CBC should not host that site on such a distinctive subdomain, as the hostname "securedrop.cbc.ca" will leak in the clear during the TLS negotiation. It would be far better to host the same content at, say, https://cbc.ca/securedrop.


RIP Aaron Swartz, who originally built this. He'd be 30 now.


Highly suggest anyone that has not watched "The Internet's Own Boy: The Story of Aaron Swartz" take the time to watch it:

https://m.youtube.com/watch?v=gpvcc9C8SbM

RIP Aaron



Also worth shouting out to Global Leaks, a similar sort of system with some interesting other features.

https://www.globaleaks.org


What is the basis for thinking it's secure?


Excellent team of people. Widely used. Code audits etc etc

https://github.com/globaleaks/globaleaks/wiki


Do not forget https://onionshare.org/

An excellent alternative to SecureDrop. At least so it seems...


What is the basis for thinking it's secure? Anyone can write an app and then type the characters "s-e-c-u-r-i-t-y" in the description.


Coded by Micah F. Lee of the free press foundation. Pretty well respected member of the community and all around great guy.


Thanks. For my and others' reference, is Mr. Lee an IT security professional? I don't mean to disparage those who aren't (I'm not), but in the end security comes down to trusting the expertise, execution, and intentions of the developers - and he sounds good for the latter two, based on what you say.


Recently review the SecureDrop and was suprised how many main stream media companies to not provide a way for leakers to safely leak information to them.


No kidding. Seems like only a few of the largest media outlets provide SecureDrop or a similiar alternative, and that number quickly drops to zero when you move from general mainstream media to more specialised stuff (tech, sports, gaming, music, etc).

Most don't even provide more than a simple contact form or email address...


Tangential and more applicable to a different style of leak, but I'd be interested in seeing the development of some protocol ideas for authenticating leaks to gain confidence the leaker is actually within a given organization. Otherwise we're left not knowing if a casual leaker is for real or just entertainment twitting.

One rough idea is that large organizations make specific press releases or announcements, that a precommitment could demonstrate privileged access to.

Another idea would be inclusion of some internal communication, which other members of the organization could confirm. This would require those other members to be sympathetic to the leaking, and also not worried about reprisals for speaking publicly like so. This probably isn't useful on its own, but the basic mechanism could be combined with other means to derive utility without public attestation.

The biggest issue is (of course) an adversarial organization subtly changing to-be-published information, to sniff out the actual leaker. Which is why I'm envisioning the need for some formality that could quantify and mitigate such leakage.


Is this based on Tor? Or are whistleblowers expected to use Tor on top of this?


> Each Source Interface is only available as a Tor Hidden Service, which is a special type of website with an address ending in ”.onion” that is only accessible through Tor. Tor is an anonymizing network that makes it difficult for anybody observing the network to associate a user’s identity (e.g. their computer’s IP address) with their activity (e.g. uploading information to SecureDrop).

From https://docs.securedrop.org/en/latest/source.html


Whistleblowers are expected to use Tor to visit the specific secure drop address for the org in question.


They have an onion address at the bottom of the page.

Then, the various guides, like for sources, suggest submissions are TOR only...


I'm not sure the problem is a lack of leaking solutions that we can trust, especially as long as WikiLeaks is around.

The problem I see is that there will be no more important leaks:

a) Given how around 50% the US population was brainwashed by government and media into believing Snowden is a traitor,

b) Given the fact that America has elected a president who wants Snowden executed,

c) Given that the NSA has locked down their systems completely since Snowden's revelations.

Who would want to take these risks to leak anything just to be put on "the list" by their own country and People?

If Snowden's leaks were not enough to get people thinking then the only thing that will is serious pain and suffering. And that is what I personally expect to come (for the lower and middle class, at least).


I'm kind of split on Snowden. I think he had noble intentions with it, but I worry that he disclosed more than was pertinent to the surveillance state-ish aspects he was trying to blow the whistle on. Do I think he's a traitor? No, only because in my view there really needs to be some malice on the part of the person to be a true traitor. I think he's a well intentioned guy that, again, released too much.

But pretending that the government is totally locked down, I don't think that eliminates the need for tools for whistleblowing. Look at Enron. The ability for truly anonymous leaking wasn't a real thing at that point. Maybe the lady would have released the information externally about the company's practices had there been something in place to allow her to do so with plausible deniability? Maybe the possibility that someone could leak info now with plausible deniability acts as a means to help guide a current company's moral compass?


I read a post on HN a while back about how the government occasionally allows leaks/is tolerant of them because sometimes they use leaks to their advantage for altering public perception, and they won't be able to do that if there aren't occasional legitimate leaks.


when you've got game theorists and all sorts of mathematicians staffing the NSA/other think tanks you're going to wind up with all sorts of first-bluff odd tactics


Mind you, there are other things US citizens would want to safely/anonymously leak info on, besides their government (e.g. corporate malfeasance), in which cases the Snowden reaction does not have the same chilling effect.

And there are people living in other countries who want to leak things about their governments (or corporations), too; what the US thinks about leaks doesn't matter much to them.


>Given that the NSA has locked down their systems completely since Snowden's revelations.

Are you sure about that? NSA has been leaking far more recently than in the past. The Shadow Brokers are just one of many. Not to mention, the intercepted signals that are being talked about through the news with the Trump presidency.


> a) Given how around 50% the US population was brainwashed by government and media into believing Snowden is a traitor,

That means there's about 159 million people who don't believe he's a traitor.

> b) Given the fact that America has elected a president who wants Snowden executed,

?? Most whistleblowers don't plan to get outed, do they?

> c) Given that the NSA has locked down their systems completely since Snowden's revelations.

If there's one thing I've learned, any system can be considered "locked down", right up until the point that it isn't.

And people need to have access to the data for it to be of any use, right?


>Given how around 50% the US population was brainwashed by government and media into believing Snowden is a traitor

It's unfortunate that you jump to the conclusion that those you disagree with are "brainwashed". There are reasons to think he was a whistle blower with good intentions. But there are also reasons, like his leaks of the US government's unquestionably legitimate surveillance of foreign governments, to think he was not. Someone on the other side of the debate could just as well call you brainwashed for discounting or not considering the latter point.


Agh the old "questioning American hegemony, therefore traitor" act. Please enlighten me how spying on virtually every single government on the planet (ally or not) is "unquestionably legitimate".


So long as there is no world government with a monopoly on violence, that's just the way the game works. And it's not really anything to do with American hegemony in particular. Every country seeks to maximize its own power relative to others. Espionage is just one tool toward that end.

https://en.wikipedia.org/wiki/Realism_(international_relatio...

And while you may believe with good reason that an individual should have higher loyalties (perhaps to humanity as a whole) than to his nation state, the legal codes of the nation states obviously cannot endorse that view, as it would be destructive of their own power and their competitors will not be so altruistic.


> Given how around 50% the US population was brainwashed by government and media into believing Snowden is a traitor,

"brainwashed" seems a bit much. I have mixed feelings on the guy. Unfortunately he carried a ton of information and there is no way to completely guarantee he didn't give it to, say, China or Russia or anyone else nor is there any guarantee that the reporters didn't in turn give it to an adversarial.

I get that the privacy conversations that he sparked were great. I'm just not sold on him being all rainbows and sunshine either.

> Given that the NSA has locked down their systems completely since Snowden's revelations.

I would disagree with this assessment but I guess it depends on what you mean by "locked down".


> I'm not sure the problem is a lack of leaking solutions that we can trust, especially as long as WikiLeaks is around.

You still trust WikiLeaks?


As long as Assange is in control, absolutely. Currently, nobody beats the level of commitment that people like Assange and Snowden have proven.


What has WikiLeaks done to lose trust?

Are you talking about the trumped-up completely bogus rape case?


I still support Wikileaks.


I think that recent events have shown that leaks are still very much viable, and anything that can aid in the release of actual data as opposed to first-hand accounts in invaluable.

Also, anything that helps keep leaked data away from Wikileaks is a good thing. I wouldn't trust them any more. At all.


If a site like this doesn't yell at you for accessing over just https and not tor, you can only expect it to be run by three or four letter agencies.


One could use Bitmessage for leaks - just create a channel and let people publish data to it.

https://bitmessage.org/wiki/Main_Page


Came here to say this. You could just publish to the general chan. However, bitmessage is no good for distributing data. It would be good for distributing how to get that data (torrent magnet, mega.nz link, encryption key, etc).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: