Today, we're publishing the second security audit of SecureDrop, our open-source whistleblower submission system. Since we took over managing the project in October, we have made so many upgrades to the code (based on the first security audit done by University of Washington researchers and Bruce Schneier), that we felt it was necessary to put it through another round of testing.
Furthermore, since SecureDrop has high security requirements—and will soon be installed in several more high-profile newsrooms—we are committed to having every major version release audited by a different team of experts before deployment.
This time, we worked with the German security firm Cure53, who has previously done audits of GlobaLeaks, Mailvelope, and CryptoCat. We gave the Cure53 team, led by Mario Heiderich, full access to an existing SecureDrop setup. Their penetration tests were permformed from both whitebox and blackbox perspectives. Cure53 focused primarily on trying to find vulnerablilities in the web application (something that the previous audit did not focus on), but they also looked at the hardening environment around the web application and application server.
You can read the full report here (PDF), or by scrolling down below. We're happy to report the conclusions were quite positive. Cure53's tests "did not yield any critical vulnerabilities." They did find eleven weaknesses ranging from low-to-medium, but as the report states, while the "weaknesses provided a first step for an attack," they "left no room for the second and detrimental step." We have since fixed the reported weaknesses in the current version, 0.2.1.
Cure53 concluded "SecureDrop presented itself as a very well-hardened application with a limited attack-surface and a small code-base." Here's the final paragraph of the report:
"In conclusion, we believe that SecureDrop’s greatest challenge lies not in creating a technically secure application, communication channels and server architecture but rather in getting technically less proficient users and whistle-blowers to benefit from the system without risking to leak their identity. While this might have seemed hardly possible in the application’s original state, it has already demonstrated significant progress and improvement when compared to what was described by Czeskis et al.. SecureDrop is on its way to reaching a primary goal of providing an exceptionally strong system, focused particularly on security and anonymity aspects. It is now reaching a moment when developing ways to work on accessibility and installation ease are vividly important. Discovering the best ways towards educating users to securely and safely deal with the documents they intend to submit or receive should be framed as a main concern."
We'd like to thank Cure53 for their hard work on such short notice. Again, this will not be the last security audit of SecureDrop. We are committed to continually have SecureDrop audited before each major version release, and each time, we will publish the results.