Skip to content

DEPRECIATED — Security indicator on the source page

Jump to bottom
Nina Eleanor Alter edited this page Feb 27, 2022 · 1 revision

ABANDONNED BECAUSE OF LACK OF INTEREST

Description

The note is to support the discussion about the proposed feature

The problem

Some SecureDrop did not follow the recommended installation procedure and do not provide the expected level of security. This is a problem when the source is mislead into thinking all SecureDrop instances offer the same level of security.

The observations

The contributor knows of one SecureDrop instance which does not implement some important security recommendations such as the airgap machine or OTP. Every new SecureDrop instance installed has the same source interface page and shows publicly when looking for SecureDrop instances.

User's awareness that something's wrong

The users have no indication that their expectation in terms of security may not be met.

As a source, the process to verify a SecureDrop instance is legitimate and secure is:

  • Go to the organization landing page
  • Verify the SecureDrop onion URL listed in the landing page is in the securedrop.org directory which means the Freedom of the Press Foundation received a statement that the installation was done in conformance with the recommended installation procedure
  • Verify at the bottom of the source page that the version displayed matchines the latest release advertised at https://securedrop.org

The source is not instructed to perform these verifications.

Example of organization not listed in the securedrop.org directory: Invisible Institute landing page and SecurDrop instance up-to-date with 0.6.

Example of an unbranded SecureDrop instance running SecureDrop 0.4.3 listed in the securedrop.org directory

Example of an unbranded SecureDrop instance running SecureDrop 0.3.5

Finding the issue

The contributor talked to a dozen person in half a dozen organizations (during conferences mostly). The contributor noticed that a large number of organizations who do not have SecureDrop would like to use it. However their mental model of SecureDrop is very similar to DropBox (some even switched the terms SecureDropBox) or WeTransfert. The contributor suspected this may lead some organizations to deploy SecureDrop as a DropBox/WeTransfert alternative and discard the inconvenient security features because their threat model does not require them. The contributor has knowledge of one organization where it actually is the case.

Scale of the issue

The contributor has observed the problem one time on a SecureDrop instance that has been active for more than one year. It stands to reason that other live SecureDrop instances also have the same problem but the contributor does not have first hand knowledge that it is the case.

TODO

  • Are there others instances with the same issue?
  • How many?
  • Are they all very bad, a bit bad, actually not that bad?
  • Idea: I would ask people to impersonate a source and submit classified documents via securedrop to a selected list of three SecureDrop instances, without the security indicator. Knowing that one has good security and is in the directory, another has good security but not in the directory, another has not good security. And run the same experience with the security indicator. With the objective of measuring a) in what way it influences how sources assert the security of an instance, b) how much it influences the submission workflow of a source

Who Uses SecureDrop?
Learn about SecureDrop's users!

Design

Contributors

Learn!

User Research

Et cetera

Clone this wiki locally