How We Plan on Keeping SecureDrop as Secure as Possible
Micah Lee |
October 15, 2013
One of the big questions that will inevitably come up as media organizations consider adopting SecureDrop, our new open-source whistleblower submission system, is: How secure is it?
We should make one thing clear off the top: any organization or product that promises 100% security is not telling the truth. SecureDrop attempts to create a significantly more secure environment for sources to get information than exists through current digital channels, but there are still legal and technical risks any time a source wishes to submit documents to journalists—no matter the service.
However, we are committed to making and keeping SecureDrop as secure as we possibly can, while retaining usability for both the source and journalist. To that end, we are hiring a security expert full-time to continually manage the code and harden the environments around it. We also plan on commissioning regular security audits for SecureDrop as we continue to update it, so we can ensure we keep it as safe as possible for any news organization and their sources.
Threats to press freedom around the world are at an all-time high. Sign up to stay up to date and take action to protect journalists and whistleblowers everywhere.
Thanks for signing up for our newsletter. You are not yet subscribed! Please check your email for a message asking you to confirm your subscription.
Indeed, a team of University of Washington researchers led by Alexei Czeskis—and which also included Tadayoshi Kohno, Jacob Appelbaum, and security expert Bruce Schneier—has already conducted a comprehensive security audit of SecureDrop (then called DeadDrop), which was completed in August of this year. You can read the full audit here.
Importantly, the security audit found no critical flaws in the code of SecureDrop itself. The audit did, however, find several problems with the documentation (so it was close to impossible to install at an optimum security level without the creators’ help), and usability issues on both the source and journalist side (which were correctly interpreted as security flaws since a user mistake can unduly expose information). You can read the New Yorker's reply to the security audit here. The New Yorker was the first major news organization to implement SecureDrop's code.
We are committed to fixing virtually all of their recommendations. Many of these updates have already been completed, and in the coming weeks we will have completed the rest of the recommendations, which mostly deal with creating best practices guides for sources and journalists.
But since the security community may be interested, and we are a transparency organization after all, we wanted to take the time to explain in detail what we’ve done since we took over the project, and what we plan to do in the future.
On page 20 of the security audit, the authors give several recommendations. Here are the recommendations we’ve already fixed:
Recommendations that are coming soon:
What we’d like to have soon (possibly with your help!):
Right now, we warn sources to scrub the metadata on documents and suggest they use the Metadata Anonymization Toolkit. We’d like to make this easier for them if they so choose. It’s possible the source would like to keep this type of metadata on the document since it is often important to journalists to authenticate the documents they receive.
We’d like to offer this potential feature as an option to the individual media organization installing it. Currently, on the journalist’s side, the journalist already has a document metadata scrubber that she should always use before moving any documents off of the secure viewing station and into pre-publication.
However, it's important to remember: even if an attacker were to compromise the source's crypto as it's set up now, the attacker will not be able to see what document the source previously uploaded. They would only be able to see incoming messages from the journalist. To mitigate and defend against attacks, we have a separate monitor server that will both detect DoS attacks and attempted attacks that target the source and document server.
In addition, if the journalist is doing everything correctly, they will have deleted the document from the document server as well, and moved it to an air gapped viewing station, where it is much safer from any attack. Read more about air-gapped machines in this essay Bruce Schneier just published for Wired. Ultimately, any sensitive document would be sitting on an Internet-connected server for as short of time as possible.
There is also the possibility that a government would attempt to compel a media organization into handing over its crypto keys (similar to what the US government just attempted with Lavabit), or it's plaintext correspondence with sources. Even if they choose to cooperate, SecureDrop is designed to keep the source anonymous from the media organization itself. By forcing the source to submit documents through Tor, as long as the source doesn't accidentally give away their identity through either document metadata or through messages they send to the journalists, not even the media organization should be able to compromise the source's anonymity.
Additionally, in the United States, this would be completely unprecedented and would quickly escalate into one of the biggest press freedom fights in US history. In other countries, this risk may be greater and media organizations should plan for such contingencies in any event where they are compelled to hand over crypto keys to the entire system.
If you have suggestions for how we can make SecureDrop better, or you’d like to help with development, please sign up for our developers mailing list here.
Since WikiLeaks pioneered the use of anonymous submission systems more than half a decade ago, the rest of the journalism world has yet to replicate the ability to safely accept documents from potential whistleblowers. We hope our investment into SecureDrop will inspire other developers to create new types of submission systems, which we will be happy to support if they are as technically secure as possible.
The more diverse systems, and the more media organizations that deploy them, the harder they are to stop. This is how we can ensure press freedom in the 21st Century.