If the leaker visits this page before opening the Tor Browser from a regular browser to copy the onion url, the whole thing is as safe as SSL as there will be a trail of the SSL connection just before the visit to SecureDrop. And they don't even explain to avoid it.
(Securedrop dev here) This is a really good point. Unfortunately, we're "as safe as SSL" no matter what, unless the source has a separate way to verify the .onion address on the SSL-protected page. They can use the SecureDrop directory for that (and we're working on other schemes as well), but it's not automated so only a handful of very cautious sources would likely do this.
I'm not sure how we could explain to avoid it - where would the explanation go? Visiting that page would be just as much of a correlation, no? It's kind of a chicken and egg problem, unless the source is already using Tor.
Avoiding the "trail of the SSL connection" also suggests we should be doing something to combat website fingerprinting, which we have discussed but do not have a clear solution for yet.
Our current thinking is that just visiting the landing page is not enough to prosecute a source. We can do better, and are working on it, but it's difficult.
Only if they visit the page just before. Seems plausible they would read about it, set it up and then drop their documents at a later date as a default behavior.
I agree it would probably be a good idea to put a warning about such a problem though.
There's this hard tradeoff that most people are willing to make, between making things more 'secure' and making things useable by the general public. I just wish that attention would be paid to the security side of things.
Ultimately, we can write descriptive documentation - but getting it read and understood is hard. Cryptoparties, are again a great idea, but getting the non-technical user involved is damned hard.
IMHO these things always come down to "how do we make it easy for the public, whilst keeping it REALLY secure". How does security become a general piece of education, much akin to math, or at least history?
Please correct me if I'm wrong but, right now, at home, I visited that site. Hardly suspicious at all, since it's on HN front page. I could write down the .onion url on a piece of paper (or just print the page, as reference) and then later follow the instructions posted there, at a semi-anonymous Internet cafe, without having to visit that page, right?
That's like saying John Smith went to a bank withdrew money at 1pm on Jan 1. Then the bank was robbed at 1:10 Jan 1 therefore John Smith robbed the bank.
I don't think you can connect visiting the info page and the very next SecureDrop file upload.
I worry that the Washington Post has unintentionally created a honeypot for leakers. I wonder if the Post has the resources to sufficiently secure it:
The requirement for security is to make successful attacks more expensive than they are worth for the attackers. (There is no perfect security, of course.)
How much is information leaked to the WP worth? It's information that can change the course of history; it could make war or peace; it could be worth billions or even trillions of dollars; it could simply change the course of the stock market or of one stock and be worth billions to an individual.
If I ran a state intelligence service, with the fate of my nation and all my citizens in my hands, I would be irresponsible not to invest in monitoring the Washington Post (and the NY Times, and others') "secure" tip line. If I ran an unscrupulous business, it would be worth it, if only for the information relevant to the stock market.
EDIT: Also, the information can change the course of elections and be a target of unscrupulous politicians.
I find it hard to believe that the Washington Post or any news organization has the resources to protect assets that valuable.
Very refreshing to see a big, red warning in the screenshot about the fact that Javascript is enabled! Usually you see the same thing when Javascript is disabled, asking you to enable it.
This is a different deployment of the same product [1]. Which, incidentally, was originally created by Aaron Swartz. The Wikipedia page[2] has a list of well-known deployments.
Does anyone know what the codenames are like? If they are easy enough to remember, then they may be easy enough to brute-force?
I think this is a great concept, yet perhaps too little, too late (Journalists should know PGP and drop boxes like these should have been common already). I also worry a bit because of Washington Post's track record with leaks, of the top of my head:
- Washington Post was Snowden's first choice, but they put up enough demands for Snowden to move to The Guardian. [1]
- Washington Post, according to Assange, had access to the "Collateral Murder" video a whole year before WikiLeaks published their edited video. [2]
- Washington Post employs op-ed columnists that call for assassination of "criminally dangerous" leakers like Assange [3]
Securedrop dev here. We tried to balance the memorizability of codenames (aka Diceware passphrases) with their length. The current minimum length is 8 words from a list of 6969 words, so you get math.log(69698, 2) = 102 bits of entropy, which is quite good. Additionally, the codenames are stretched with scrypt with affords an extra (approx.) 14 bits of entropy (that's our current work factor).
We are continuing to discuss and debate this trade-off. Other ideas welcome!
> Does anyone know what the codenames are like? If they are easy enough to remember, then they may be easy enough to brute-force?
I don't know what they're like, but if you take a list of 5000 common words and use 4 random entries for each codename, there are 625,000,000,000,000 possible combinations. Brute-forcing the entire space at 100,000 tries per second would take ~200 years.
The wordlist is just a random sampling of English nouns (I couldn't find a quick source of common nouns long enough). It may contain profanity, watch out!
Tor hidden services are not bulletproof. Just as a really simple example, you can do network traffic analysis to find network nodes with one-way traffic to hosts without a correlated public service and deduce if a hidden service is nearby.
There are several exploits which have been used in the past to expose Tor hidden services, and several papers on theoretical ways to expose them. Many of these attacks can be used in reverse to expose the origin of a connection to a hidden service.
In the [not so] extreme case, the govt can always issue a National Security Letter to WaPo and scoop up any data it wants directly from the hidden service servers, similar to its Silk Road and Freedom Hosting takedowns.
If all Post correspondents used SecureDrop to submit their stories that would be a start.
One would have to assume that all the traffic going to the server is logged by the NSA and anyone else who can manage it. If the traffic volume is low then timing correlation with even a large pool of suspects is simple. An active attacker can differentiate between the SSL connection from a web browser and one from a tor node, so the background SSL traffic to the Post would not provide cover.
I think it could be improved by using a mix network (eg mixminion) accessed over tor, rather than just tor.
Unfortunately the mixmaster/mixminion networks are currently too small to provide meaningful complexity. Large scale adoption by, eg, newspapers, is not technically hard and would significantly complicate the adversary problem.
This is brilliant, and a smart move for the WP, despite some of the criticism's below. I think it's a much needed, if romantic, idea that harkens back to the transparency of Wikileaks, and gives WP a great little heads up over some of the other papers. I wouldn't be surprised to watch the others follow suit soon.
Sometime in the near future, I predict that the US will require some form of photo I.D before using an internet kiosk. As usual, the spin will be to protect the children.
USA is pretty low on the list of countries I could imagine implementing something like this. Given Russia's, China's, and a large portion of SEA countries' internet censorship track records...
I have a better idea. Make it so that some traffic receives higher priority than others, and force content providers to have to pay to play. Then limit competition at the ISP level so that to succeed you have to pay a monopoly to carry your traffic in a timely manner.
No need for something as heavy as what you propose.
No, for your convenience, you only need to identify yourself in the case that you exit the kiosk without using any sort of web service account that can be used to identify you ;)
Wow, Tor is still a thing? We have confirmation that security agencies have taken over exit nodes and injected spyware before to track targets. I'm surprised anyone uses it. It's like the security lottery.
The NSA leaks reveal that for the most part, Tor is still secure if you're using a sufficient number of intermediary nodes.
If anything, the real concern here is the implicit encouragement to use local library computers, which would be much easier for a government agency (or cybercriminal) to infect with malware and observe.
Tor isn't some magic wand you can wave to get security, but it helps. The core Tor software's job is to conceal your identity from your recipient, and to conceal your recipient and your content from observers on your end. By itself, Tor does not protect the actual communications content once it leaves the Tor network. This can make it useful against some forms of metadata analysis, but this also means Tor is best used in combination with other tools.https://blog.torproject.org/blog/prism-vs-tor
[+] [-] FiloSottile|11 years ago|reply
OPSEC is hard.
[+] [-] handsomeransoms|11 years ago|reply
I'm not sure how we could explain to avoid it - where would the explanation go? Visiting that page would be just as much of a correlation, no? It's kind of a chicken and egg problem, unless the source is already using Tor.
Avoiding the "trail of the SSL connection" also suggests we should be doing something to combat website fingerprinting, which we have discussed but do not have a clear solution for yet.
Our current thinking is that just visiting the landing page is not enough to prosecute a source. We can do better, and are working on it, but it's difficult.
[+] [-] glomph|11 years ago|reply
I agree it would probably be a good idea to put a warning about such a problem though.
[+] [-] cik|11 years ago|reply
Ultimately, we can write descriptive documentation - but getting it read and understood is hard. Cryptoparties, are again a great idea, but getting the non-technical user involved is damned hard.
IMHO these things always come down to "how do we make it easy for the public, whilst keeping it REALLY secure". How does security become a general piece of education, much akin to math, or at least history?
[+] [-] stevengg|11 years ago|reply
[+] [-] lawl|11 years ago|reply
That should make it hard enough to correlate any data, I guess they have enough visitors.
[+] [-] tripzilch|11 years ago|reply
[+] [-] giarc|11 years ago|reply
I don't think you can connect visiting the info page and the very next SecureDrop file upload.
[+] [-] dheera|11 years ago|reply
[+] [-] xxchan|11 years ago|reply
[+] [-] esonderegger|11 years ago|reply
"Download and install the Tor browser bundle from Download and install the Tor browser bundle from https://www.torproject.org/" should be "Download and install the Tor browser bundle from https://www.torproject.org/"
"You will be provided with a codename that you will use it to log in to check for replies from The Post." should not have the word "it".
Otherwise, great work! I'm really glad that you're doing this and featuring it prominently on your home page.
[+] [-] hackuser|11 years ago|reply
The requirement for security is to make successful attacks more expensive than they are worth for the attackers. (There is no perfect security, of course.)
How much is information leaked to the WP worth? It's information that can change the course of history; it could make war or peace; it could be worth billions or even trillions of dollars; it could simply change the course of the stock market or of one stock and be worth billions to an individual.
If I ran a state intelligence service, with the fate of my nation and all my citizens in my hands, I would be irresponsible not to invest in monitoring the Washington Post (and the NY Times, and others') "secure" tip line. If I ran an unscrupulous business, it would be worth it, if only for the information relevant to the stock market. EDIT: Also, the information can change the course of elections and be a target of unscrupulous politicians.
I find it hard to believe that the Washington Post or any news organization has the resources to protect assets that valuable.
[+] [-] dewey|11 years ago|reply
[+] [-] toni|11 years ago|reply
[+] [-] noso|11 years ago|reply
http://www.theguardian.com/technology/2014/jun/05/guardian-l...
https://securedrop.theguardian.com/
[+] [-] pcl|11 years ago|reply
[1] https://pressfreedomfoundation.org/securedrop
[2] http://en.wikipedia.org/wiki/SecureDrop
[+] [-] blauwbilgorgel|11 years ago|reply
I think this is a great concept, yet perhaps too little, too late (Journalists should know PGP and drop boxes like these should have been common already). I also worry a bit because of Washington Post's track record with leaks, of the top of my head:
- Washington Post was Snowden's first choice, but they put up enough demands for Snowden to move to The Guardian. [1]
- Washington Post, according to Assange, had access to the "Collateral Murder" video a whole year before WikiLeaks published their edited video. [2]
- Washington Post employs op-ed columnists that call for assassination of "criminally dangerous" leakers like Assange [3]
[1] http://nymag.com/daily/intelligencer/2013/06/nsa-leaker-shop... [2] http://www.abc.net.au/foreign/content/2010/s3040234.htm [3] http://www.washingtonpost.com/wp-dyn/content/article/2010/08...
EDIT: More information on SecureDrop: https://pressfreedomfoundation.org/securedrop and source here: https://github.com/freedomofpress/securedrop
[+] [-] handsomeransoms|11 years ago|reply
We are continuing to discuss and debate this trade-off. Other ideas welcome!
[+] [-] 13throwaway|11 years ago|reply
[+] [-] gabemart|11 years ago|reply
I don't know what they're like, but if you take a list of 5000 common words and use 4 random entries for each codename, there are 625,000,000,000,000 possible combinations. Brute-forcing the entire space at 100,000 tries per second would take ~200 years.
Edit: I made a toy jsfiddle version: http://jsfiddle.net/SwWZ9/10/
The wordlist is just a random sampling of English nouns (I couldn't find a quick source of common nouns long enough). It may contain profanity, watch out!
[+] [-] jacorreia|11 years ago|reply
[+] [-] peterwwillis|11 years ago|reply
There are several exploits which have been used in the past to expose Tor hidden services, and several papers on theoretical ways to expose them. Many of these attacks can be used in reverse to expose the origin of a connection to a hidden service.
In the [not so] extreme case, the govt can always issue a National Security Letter to WaPo and scoop up any data it wants directly from the hidden service servers, similar to its Silk Road and Freedom Hosting takedowns.
The FBI TOR Exploit [ http://resources.infosecinstitute.com/fbi-tor-exploit/ ]
Heartbleed used to reveal Tor hidden services [ https://blog.torproject.org/blog/openssl-bug-cve-2014-0160/ ]
Hot or Not: Revealing hidden services by their clock skew [ http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf ]
Tor Hidden Service Passive De-Cloaking [ http://blog.whitehatsec.com/tor-hidden-service-passive-de-cl... ]
[+] [-] angry_octet|11 years ago|reply
One would have to assume that all the traffic going to the server is logged by the NSA and anyone else who can manage it. If the traffic volume is low then timing correlation with even a large pool of suspects is simple. An active attacker can differentiate between the SSL connection from a web browser and one from a tor node, so the background SSL traffic to the Post would not provide cover.
I think it could be improved by using a mix network (eg mixminion) accessed over tor, rather than just tor.
Unfortunately the mixmaster/mixminion networks are currently too small to provide meaningful complexity. Large scale adoption by, eg, newspapers, is not technically hard and would significantly complicate the adversary problem.
I'd love to see more discussion of bitmessage and Pond (https://pond.imperialviolet.org/)
cf http://www.syverson.org/
[+] [-] DustinCalim|11 years ago|reply
[+] [-] tlrobinson|11 years ago|reply
Assuming you were able to avoid the "JavaScript crypto problem", would this be a good or bad idea?
[+] [-] hadoukenio|11 years ago|reply
[+] [-] taco_john|11 years ago|reply
[+] [-] revscat|11 years ago|reply
No need for something as heavy as what you propose.
[+] [-] Omniusaspirer|11 years ago|reply
http://en.wikipedia.org/wiki/Resident_registration_number
[+] [-] blueskin_|11 years ago|reply
[+] [-] Maakuth|11 years ago|reply
[+] [-] MikeTaylor|11 years ago|reply
[+] [-] zerohm|11 years ago|reply
[+] [-] dan_bk|11 years ago|reply
[+] [-] lnanek2|11 years ago|reply
[+] [-] icebraining|11 years ago|reply
[+] [-] meowface|11 years ago|reply
If anything, the real concern here is the implicit encouragement to use local library computers, which would be much easier for a government agency (or cybercriminal) to infect with malware and observe.
[+] [-] sp332|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] middleclick|11 years ago|reply