Today, ProPublica became the first US news organization to launch the new 0.2.1 version of SecureDrop, our open-source whistleblower submission system journalism organizations can use to safely accept documents and information from sources.
ProPublica, an independent, not-for profit news outlet, is known for their hard-hitting journalism and has won several Pulitzer Prizes since its founding just five and a half years ago. ProPublica’s mission focuses on "producing journalism that shines a light on exploitation of the weak by the strong and on the failures of those with power to vindicate the trust placed in them.”
It's exactly the type of journalism that we aim support at Freedom of the Press Foundation and we hope SecureDrop will help ProPublica further that mission.
To send documents to ProPublica, download the Tor Browser Bundle, and then copy and paste this Tor onion URL into the browser: http://qzpl6f4fyx4pxzdu.onion/ . Remember, do not submit information from your home or office Internet connection and use public wifi. For additional safety, consider submitting using the Tails operating system.
ProPublica’s security precautions in their implementation of SecureDrop can also serve as a model for other journalism organizations considering launching their own version. SecureDrop is really only as secure as the environment around it, and ProPublica has made sure to follow security best practices in creating it. ProPublica’s SecureDrop landing page is HTTPS by default, they’ve placed no trackers or analytics tools that would give third parties access to who visits the page, and have implemented all the correct security headers to mitigate potential attacks (which you can confirm here).
ProPublica’s Mike Tigas explained why this is important in their blog post announcing the launch:
The information page at securedrop.propublica.org contains instructions on how to send us material the system. The information page itself is on a server that is not connected to the SecureDrop server. But as an important part of the system, it needs to follow good security practices, so we’ve configured it according to security recommendations by the Freedom of the Press Foundation. We enforce HTTPS connections to that domain by using the “Strict-Transport-Security” HTTP header. We prevent external content and browser frames from accessing that page, to ensure that the information you see there isn’t tampered with. It does not store any access logs or create any cookies.
They’ve also contributed to further the security of the open-source project by publishing their configuration file so other news organizations can easily implement the correct security headers on their own landing page in the future.
We’ve documented the nginx configuration file we use on our information page and are publishing it today. Other sites may use our example config for similar small websites requiring HTTPS and high browser security.
SecureDrop was originally created by the late technologist and transparency advocate Aaron Swartz. Freedom of the Press Foundation has been managing the project since the fall of 2013. Version 0.2.1 was recently put through a thorough security audit, which you can read here. We are currently on the road installing the service for several other major news organizations. So stay tuned for more.