For those who don't know Garrett Robinson (who heads SecureDrop's development), he's been extremely dedicated to user privacy issues and first amendment concerns. I may occasionally differ from his views, but I admire the passion he's poured into both his work at Mozilla and into SecureDrop.
SecureDrop uses Tor Browser, as do many other public interest security solutions. However, a respected security expert here on HN recently said of Tor Browser:
the Tor Browser might be the least safe browser to use of all available browsers that can be installed on modern computers. It is a perfect storm of "inferior security design" and "maximized adversarial value per exploit dollar spent". / Don't use Tor Browser.
He recommends Chrome (presumably over the Tor network). I tend to believe the expert, because IME real security expertise (as opposed to technically sophisticated people reading about security and trying to DIY) is rarely utilized and applied even by prominent organizations and projects. But I wish someone would reconcile all of this.
although I'm not sure if there's been a big recent summary on this. One way to put it, akin to things other people have said in this thread, is that Chromium is tougher to customize, less cooperative upstream, and somewhat worse for specific technical user-tracking issues. Tor folks are very, very worried about cross-site and cross-session linkability attacks and tend to put a lot of technical effort into mitigating those.
tptacek's point in the other thread (that you're quoting) is about exploit mitigation, where Chromium is doing better, partly because they hired a lot of super-great people to work primarily on that (and also are paying pretty big bounties), and also because their architecture makes it easier in the first place.
So the Tor Browser work has focused a lot on stopping sites from recognizing you, while they're not working as hard or doing as well on stopping sites from hacking you, which they might then use to deanonymize you by making you send clearnet traffic, or even to exfiltrate files from your computer. (Also, for visiting non-HTTPS clearnet sites over Tor, the exit nodes and their ISPs are in a position to perform these attacks.)
The situation for SecureDrop instances might be safer than for other hidden services because they're probably more professionally run and carefully monitored, and use better-audited and simpler user-facing code, among other reasons, but then again this might not be true because they're also potentially exciting and interesting targets.
I disagree. Tor/Firefox do indeed have significantly worse security (right now), but that can be mostly mitigated by using easy-to-use third-party sandboxing tools (Sandboxie, Firejail, a VM).
For Linux, there's now a "hardened" version of the Tor browser as well (still alpha, I believe), and if you really care about this, you can also use TAILS, Qubes/Whonix, etc. It would probably be best not to use Windows if you want to be anonymous anyway (certainly not Windows 10, which looks like it was designed after a law enforcement wishlist - there are probably dozens of ways in which law enforcement can identify you by using Windows 10's tracking "features").
I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...
> I disagree. Tor/Firefox do indeed have significantly worse security (right now), but that can be mostly mitigated by using easy-to-use third-party sandboxing tools (Sandboxie, Firejail, a VM).
Now that they have moved to multi-process Firefox, they can finally start sandboxing everything. There are already plans in place to start reusing Chrome's sandboxes profiles.
> I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...
You literally have to fork the browser, they won't maintain the internal APIs required by the Tor team. Hell, they refuse to respect basic SOCKS5 proxy settings [0].
> that can be mostly mitigated by using easy-to-use third-party sandboxing tools (Sandboxie, Firejail, a VM)
We also need solutions for typical end users. In the case of SecureDrop, the users will include people with near-zero technical capability, and little time or motivation to learn something new.
> However, a respected security expert here on HN recently said of Tor Browser
The Chrome browser doesn't respect SOCKS5 proxy settings, lacks stream isolation, and has other all sorts of built in identifiers. There is a reason the Tor team hasn't switched to using Chrome!
This is a trivial Flask file uploading application, with a "code name"-based feedback system, wrapping GnuPG's Python bindings, intended to be run on Tor.
The security it provides is marginal, but it's so simple that it's not the part of anyone's stack that's most likely to be compromised.
I think a significantly better version of this could be built. What makes doing that tricky is that you want to retain the almost hello-world simplicity of this app, because the big reason not to run something like this is the likelihood that the server itself will have flaws.
On the other hand, it's 2017, and you can also accept files over secure messengers.
Later
Amusingly, people seem to think that these are bad things to say about an application like SecureDrop.
> I think a significantly better version of this could be built. What makes doing that tricky [...]
Would you mind describing, in a few broad strokes, what a better SecureDrop would look like? What would be the main potential changes and improvements?
SecureDrop isn't just an application, it also encompasses the infrastructure setup and opsec procedures required for the submission system to function securely.
+1 It also teaches the receiving end how to receive, and work with sensitive materials in a more secure way. That has actually been the hardest part of the implementation we did; teaching the journalists how to treat the material received. We also tried to create a fairly informative page for the tipsters https://www.dn.no/staticprojects/2016/12/securedrop/ (in Norwegian)
Agreed on unnecessary complexity, but it's not a trivial app. Quick scrolling through sources and we see dozens of endpoints and each is potentially vulnerable.
Trusting the server, developers, Flask (which is by no means a good choice for secure app, my word) etc... messengers is a better option for sure.
The endpoints don't do much, the app delegates most of its functionality to very well-known Python libraries, there's minimal backend, no account system... it's a pretty auditable piece of code. If you can't get a handle on the security of this thing, there's no web app you can get a handle on.
I think people think I'm saying something I'm not. The point of that paragraph isn't that SecureDrop is terrible; it's that attempts to improve it need to be mindful of the fact that SecureDrop's simplicity is an important part of why it's considered safe to run. The point is that there are a bunch of "features" you could add to this, including things that might ostensibly improve privacy and safety, but that you don't necessarily want to adopt a more complicated version of it.
SecureDrop is also in use by CBC, a publicly-funded National broadcaster in Canada, and is actually implemented and managed properly -- regardless of the quality of SecureDrop itself.
The gateway site is only accessible over HTTPS, then it's to an .onion via a link to Torbrowser, and mentions of TAILS, all caveats with using the stated software applies though.
CBC should not host that site on such a distinctive subdomain, as the hostname "securedrop.cbc.ca" will leak in the clear during the TLS negotiation. It would be far better to host the same content at, say, https://cbc.ca/securedrop.
Recently review the SecureDrop and was suprised how many main stream media companies to not provide a way for leakers to safely leak information to them.
No kidding. Seems like only a few of the largest media outlets provide SecureDrop or a similiar alternative, and that number quickly drops to zero when you move from general mainstream media to more specialised stuff (tech, sports, gaming, music, etc).
Most don't even provide more than a simple contact form or email address...
Readit News
https://freedom.press/people/garrett-robinson/
the Tor Browser might be the least safe browser to use of all available browsers that can be installed on modern computers. It is a perfect storm of "inferior security design" and "maximized adversarial value per exploit dollar spent". / Don't use Tor Browser.
He recommends Chrome (presumably over the Tor network). I tend to believe the expert, because IME real security expertise (as opposed to technically sophisticated people reading about security and trying to DIY) is rarely utilized and applied even by prominent organizations and projects. But I wish someone would reconcile all of this.
EDIT: Some clarifying edits
https://blog.torproject.org/category/tags/chrome
although I'm not sure if there's been a big recent summary on this. One way to put it, akin to things other people have said in this thread, is that Chromium is tougher to customize, less cooperative upstream, and somewhat worse for specific technical user-tracking issues. Tor folks are very, very worried about cross-site and cross-session linkability attacks and tend to put a lot of technical effort into mitigating those.
tptacek's point in the other thread (that you're quoting) is about exploit mitigation, where Chromium is doing better, partly because they hired a lot of super-great people to work primarily on that (and also are paying pretty big bounties), and also because their architecture makes it easier in the first place.
So the Tor Browser work has focused a lot on stopping sites from recognizing you, while they're not working as hard or doing as well on stopping sites from hacking you, which they might then use to deanonymize you by making you send clearnet traffic, or even to exfiltrate files from your computer. (Also, for visiting non-HTTPS clearnet sites over Tor, the exit nodes and their ISPs are in a position to perform these attacks.)
The situation for SecureDrop instances might be safer than for other hidden services because they're probably more professionally run and carefully monitored, and use better-audited and simpler user-facing code, among other reasons, but then again this might not be true because they're also potentially exciting and interesting targets.
For Linux, there's now a "hardened" version of the Tor browser as well (still alpha, I believe), and if you really care about this, you can also use TAILS, Qubes/Whonix, etc. It would probably be best not to use Windows if you want to be anonymous anyway (certainly not Windows 10, which looks like it was designed after a law enforcement wishlist - there are probably dozens of ways in which law enforcement can identify you by using Windows 10's tracking "features").
I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...
Now that they have moved to multi-process Firefox, they can finally start sandboxing everything. There are already plans in place to start reusing Chrome's sandboxes profiles.
> I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...
You literally have to fork the browser, they won't maintain the internal APIs required by the Tor team. Hell, they refuse to respect basic SOCKS5 proxy settings [0].
[0]: https://trac.torproject.org/projects/tor/wiki/doc/ImportantG...
We also need solutions for typical end users. In the case of SecureDrop, the users will include people with near-zero technical capability, and little time or motivation to learn something new.
There is no good solution at the moment - one lacks security while the other lacks privacy.
The Chrome browser doesn't respect SOCKS5 proxy settings, lacks stream isolation, and has other all sorts of built in identifiers. There is a reason the Tor team hasn't switched to using Chrome!
The security it provides is marginal, but it's so simple that it's not the part of anyone's stack that's most likely to be compromised.
I think a significantly better version of this could be built. What makes doing that tricky is that you want to retain the almost hello-world simplicity of this app, because the big reason not to run something like this is the likelihood that the server itself will have flaws.
On the other hand, it's 2017, and you can also accept files over secure messengers.
Later
Amusingly, people seem to think that these are bad things to say about an application like SecureDrop.
https://www.nytimes.com/tips
Would you mind describing, in a few broad strokes, what a better SecureDrop would look like? What would be the main potential changes and improvements?Trusting the server, developers, Flask (which is by no means a good choice for secure app, my word) etc... messengers is a better option for sure.
I'd encourage you to help build a better version.
People don't seem to understand what trusted-computing-base actually means.
Dead Comment
https://securedrop.cbc.ca/
The gateway site is only accessible over HTTPS, then it's to an .onion via a link to Torbrowser, and mentions of TAILS, all caveats with using the stated software applies though.
https://m.youtube.com/watch?v=gpvcc9C8SbM
RIP Aaron
https://www.globaleaks.org
https://github.com/globaleaks/globaleaks/wiki
An excellent alternative to SecureDrop. At least so it seems...
Most don't even provide more than a simple contact form or email address...