SecureDrop – An open-source whistleblower submission system(securedrop.org) |
SecureDrop – An open-source whistleblower submission system(securedrop.org) |
the Tor Browser might be the least safe browser to use of all available browsers that can be installed on modern computers. It is a perfect storm of "inferior security design" and "maximized adversarial value per exploit dollar spent". / Don't use Tor Browser.
He recommends Chrome (presumably over the Tor network). I tend to believe the expert, because IME real security expertise (as opposed to technically sophisticated people reading about security and trying to DIY) is rarely utilized and applied even by prominent organizations and projects. But I wish someone would reconcile all of this.
EDIT: Some clarifying edits
https://blog.torproject.org/category/tags/chrome
although I'm not sure if there's been a big recent summary on this. One way to put it, akin to things other people have said in this thread, is that Chromium is tougher to customize, less cooperative upstream, and somewhat worse for specific technical user-tracking issues. Tor folks are very, very worried about cross-site and cross-session linkability attacks and tend to put a lot of technical effort into mitigating those.
tptacek's point in the other thread (that you're quoting) is about exploit mitigation, where Chromium is doing better, partly because they hired a lot of super-great people to work primarily on that (and also are paying pretty big bounties), and also because their architecture makes it easier in the first place.
So the Tor Browser work has focused a lot on stopping sites from recognizing you, while they're not working as hard or doing as well on stopping sites from hacking you, which they might then use to deanonymize you by making you send clearnet traffic, or even to exfiltrate files from your computer. (Also, for visiting non-HTTPS clearnet sites over Tor, the exit nodes and their ISPs are in a position to perform these attacks.)
The situation for SecureDrop instances might be safer than for other hidden services because they're probably more professionally run and carefully monitored, and use better-audited and simpler user-facing code, among other reasons, but then again this might not be true because they're also potentially exciting and interesting targets.
For Linux, there's now a "hardened" version of the Tor browser as well (still alpha, I believe), and if you really care about this, you can also use TAILS, Qubes/Whonix, etc. It would probably be best not to use Windows if you want to be anonymous anyway (certainly not Windows 10, which looks like it was designed after a law enforcement wishlist - there are probably dozens of ways in which law enforcement can identify you by using Windows 10's tracking "features").
I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...
Now that they have moved to multi-process Firefox, they can finally start sandboxing everything. There are already plans in place to start reusing Chrome's sandboxes profiles.
> I don't think there's a way to "easily" make "Chrome over Tor" anonymous and private...
You literally have to fork the browser, they won't maintain the internal APIs required by the Tor team. Hell, they refuse to respect basic SOCKS5 proxy settings [0].
[0]: https://trac.torproject.org/projects/tor/wiki/doc/ImportantG...
We also need solutions for typical end users. In the case of SecureDrop, the users will include people with near-zero technical capability, and little time or motivation to learn something new.
There is no good solution at the moment - one lacks security while the other lacks privacy.
The Chrome browser doesn't respect SOCKS5 proxy settings, lacks stream isolation, and has other all sorts of built in identifiers. There is a reason the Tor team hasn't switched to using Chrome!
The security it provides is marginal, but it's so simple that it's not the part of anyone's stack that's most likely to be compromised.
I think a significantly better version of this could be built. What makes doing that tricky is that you want to retain the almost hello-world simplicity of this app, because the big reason not to run something like this is the likelihood that the server itself will have flaws.
On the other hand, it's 2017, and you can also accept files over secure messengers.
Later
Amusingly, people seem to think that these are bad things to say about an application like SecureDrop.
The gateway site is only accessible over HTTPS, then it's to an .onion via a link to Torbrowser, and mentions of TAILS, all caveats with using the stated software applies though.
https://m.youtube.com/watch?v=gpvcc9C8SbM
RIP Aaron
An excellent alternative to SecureDrop. At least so it seems...
Most don't even provide more than a simple contact form or email address...
One rough idea is that large organizations make specific press releases or announcements, that a precommitment could demonstrate privileged access to.
Another idea would be inclusion of some internal communication, which other members of the organization could confirm. This would require those other members to be sympathetic to the leaking, and also not worried about reprisals for speaking publicly like so. This probably isn't useful on its own, but the basic mechanism could be combined with other means to derive utility without public attestation.
The biggest issue is (of course) an adversarial organization subtly changing to-be-published information, to sniff out the actual leaker. Which is why I'm envisioning the need for some formality that could quantify and mitigate such leakage.
Then, the various guides, like for sources, suggest submissions are TOR only...
The problem I see is that there will be no more important leaks:
a) Given how around 50% the US population was brainwashed by government and media into believing Snowden is a traitor,
b) Given the fact that America has elected a president who wants Snowden executed,
c) Given that the NSA has locked down their systems completely since Snowden's revelations.
Who would want to take these risks to leak anything just to be put on "the list" by their own country and People?
If Snowden's leaks were not enough to get people thinking then the only thing that will is serious pain and suffering. And that is what I personally expect to come (for the lower and middle class, at least).
> I think a significantly better version of this could be built. What makes doing that tricky [...]
Would you mind describing, in a few broad strokes, what a better SecureDrop would look like? What would be the main potential changes and improvements?Trusting the server, developers, Flask (which is by no means a good choice for secure app, my word) etc... messengers is a better option for sure.
I'd encourage you to help build a better version.
People don't seem to understand what trusted-computing-base actually means.
But pretending that the government is totally locked down, I don't think that eliminates the need for tools for whistleblowing. Look at Enron. The ability for truly anonymous leaking wasn't a real thing at that point. Maybe the lady would have released the information externally about the company's practices had there been something in place to allow her to do so with plausible deniability? Maybe the possibility that someone could leak info now with plausible deniability acts as a means to help guide a current company's moral compass?
And there are people living in other countries who want to leak things about their governments (or corporations), too; what the US thinks about leaks doesn't matter much to them.
Are you sure about that? NSA has been leaking far more recently than in the past. The Shadow Brokers are just one of many. Not to mention, the intercepted signals that are being talked about through the news with the Trump presidency.
That means there's about 159 million people who don't believe he's a traitor.
> b) Given the fact that America has elected a president who wants Snowden executed,
?? Most whistleblowers don't plan to get outed, do they?
> c) Given that the NSA has locked down their systems completely since Snowden's revelations.
If there's one thing I've learned, any system can be considered "locked down", right up until the point that it isn't.
And people need to have access to the data for it to be of any use, right?
It's unfortunate that you jump to the conclusion that those you disagree with are "brainwashed". There are reasons to think he was a whistle blower with good intentions. But there are also reasons, like his leaks of the US government's unquestionably legitimate surveillance of foreign governments, to think he was not. Someone on the other side of the debate could just as well call you brainwashed for discounting or not considering the latter point.
"brainwashed" seems a bit much. I have mixed feelings on the guy. Unfortunately he carried a ton of information and there is no way to completely guarantee he didn't give it to, say, China or Russia or anyone else nor is there any guarantee that the reporters didn't in turn give it to an adversarial.
I get that the privacy conversations that he sparked were great. I'm just not sold on him being all rainbows and sunshine either.
> Given that the NSA has locked down their systems completely since Snowden's revelations.
I would disagree with this assessment but I guess it depends on what you mean by "locked down".
You still trust WikiLeaks?
Are you talking about the trumped-up completely bogus rape case?
Also, anything that helps keep leaked data away from Wikileaks is a good thing. I wouldn't trust them any more. At all.
https://en.wikipedia.org/wiki/Realism_(international_relatio...
And while you may believe with good reason that an individual should have higher loyalties (perhaps to humanity as a whole) than to his nation state, the legal codes of the nation states obviously cannot endorse that view, as it would be destructive of their own power and their competitors will not be so altruistic.
You have a wealth of security experience. SecureDrop is an essential piece of infrastructure in today's reality. It would be beneficial if you contributed your experience as time permits and where applicable to ensure it remains secure if (when?) its functionality is extended.
Features are nice; remaining secure is mandatory.
I think the misunderstanding (if it exists) is my fault, though; rereading, I probably shouldn't have used the word "significantly". I'll try to avoid adjectives first thing in the morning moving forward.
Not huge, but much more complicated than it could be. For instance, it redefined CSRF protection in a weird way https://github.com/lepture/flask-wtf/blob/master/flask_wtf/c...
But this was more concerning the "webgl" disabled bit.
WebRTC is because of IP leaks via peer connections
We really need a build of chromium that removes the fancier web tech and integrates privacy features of Tor BB
Its just a lot of work to maintain - but a fork of chromium that is a little behind upstream is safer than FF
Tie that all together and it may very well be possible to tie an upload using the Tor network to a particular user visiting some random website at a later date.
You're leaking bits all the time and not all that many of them are required to uniquely identify you.
See https://33bits.org/ for an easy to consume introduction.