Forgot your password?
Merry Christmas and Happy New Year 2019
Add…
Document Actions
Review of Guardian's SecureDrop
Preliminary review of Guardian's SecureDrop system for whistleblowers for submitting confidential documents to Guardian journalists.
Directions for whistleblowers on SecureDrop https page
On landing SecureDrop https page https://securedrop.theguardian.com/ Guardian doesn't provide an actual link to http://33y6fjyhs3phzfjj.onion which is essential! Many specially non tech people will make mistakes retyping it from picture where it's only available and page doesn't explicitly tell them that, which will lead to failure, frustration and compromise of anonymity and security! I know the reason why they do that, to prevent automatic harvesting of . oninon page and to prevent automated attacks on it. But security through obscurity never works.
Whistleblowers should only use one fresh browsing tab with new identity in Tor browser for Guardian onion link only. All this is minimum needed. BTW Tor browser default setting is to remember 50 previous ULRs on each tab... Using only noncompromised SSL Perfect Forward Secrecy ciphers, enabled Private browsing, disabled JavaScript (at least warning for disabling it works), disabled Fonts and using default unresized Tor Browser window is also essential, etc... Guardian must demand all this from their whistleblowers and they must confirm their settings on IP check, QualysSSL, Browser leaks, Panopticlick and How's my SSL before coming to Guardian in fresh and only tab to really stay anonymous and secure.
SSL
Guardian's is using Comodo Certificate Authority for their SSL certificate on last https SecureDrop page. Big mistake, as we all know any CA commercially issued certificate pages are not safe any more. It's essential to use self signed SLL certificate, because this last page and of course the .onion page will be used by whistleblowers and 100% monitored 24/7 by NSA and Co, certainly every commercial SSL certificate will be compromised. They're using 2048/256 RSA encryption which is OK for normal use, but for such implementation they should use 4,096/256 RSA encryption.
Servers
SecureDrop https page is on two Amazon.com cloud service servers located in Dublin, Ireland. More info on link and below
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fsecuredrop.theguardian.com
SecureDrop servers are separated from theguardian.com (which BTW has bad SSL info https://www.ssllabs.com/ssltest/analyze.html?d=theguardian.com).
More on SecureDrop servers below, you get detail by clicking on IPs and links.
| Server | Domain(s) | Test time | Grade | |
|---|---|---|---|---|
| 1 | 54.72.198.41 ec2-54-72-198-41.eu-west-1.compute.amazonaws.com Ready | securedrop.theguardian.com | Thu Jun 05 16:54:33 UTC 2014 Duration: 69.362 sec | A |
| 2 | 54.194.104.181 ec2-54-194-104-181.eu-west-1.compute.amazonaws.com Ready | securedrop.theguardian.com | Thu Jun 05 16:55:43 UTC 2014 Duration: 69.781 sec | A |
SSL Protocol Details
| Protocol Details | |
| Secure Renegotiation | Supported |
| Secure Client-Initiated Renegotiation | Supported DoS DANGER (more info) |
| Insecure Client-Initiated Renegotiation | No |
| BEAST attack | Not mitigated server-side (more info) SSL 3: 0xc013, TLS 1.0: 0xc013 |
| TLS compression | No |
| RC4 | Yes (not with TLS 1.1 and newer) (more info) |
| Heartbleed | No (more info) |
| Forward Secrecy | With modern browsers (more info) |
| Next Protocol Negotiation | No |
| Session resumption (caching) | Yes |
| Session resumption (tickets) | Yes |
| OCSP stapling | No |
| Strict Transport Security (HSTS) | No |
| Long handshake intolerance | No |
| TLS extension intolerance | No |
| TLS version intolerance | TLS 2.98 |
| SSL 2 handshake compatibility | Yes |
| Miscellaneous | |
| Test date | Thu Jun 05 16:54:33 UTC 2014 |
| Test duration | 69.362 seconds |
| HTTP status code | 200 |
| HTTP server signature | Apache/2.2.27 (Amazon) |
| Server hostname | ec2-54-72-198-41.eu-west-1.compute.amazonaws.com |
| PCI compliant | Yes |
| FIPS-ready | No |
SecureDrop https pages are hosted on Amazon.com cloud service in Dublin, Ireland which is big security and privacy problem. Because US authorities can order all data on server any time and getting log data of whistleblowers beside that hacking Amazon is no big deal. NSA is monitoring this two server IPs all the time and fingerprinting every connecting browser to get whistleblowers IPs or their personal identities. Perfect Forward Secrecy SLL chiphers (FIPS) is not enabled as default and works only on newer browsers, must work on all. Https SecureDrop pages default to AES-128 ciphers and not AES-256 as they should. Servers are vurnable to DoS attacks. Beast attack is not mitigated on server side. Https doesn't default to TLS 1.2 as it should. RC4 chipher should be disabled as it not secure any more. OCSP stapling is not supported as is not Strict Transport Security (HSTS), both are mandatory. SSL2 handshake should be disabled as it's not secure any more... So not a safe place for whistleblowers yet.
Sorry this is total no go, because every whistlblowers first comes to this page before going to .onion page. All access and log data on such server, specially in the cloud used for such pages is not secure! Hope they're not so fullish to use same sever for .onion page. WikiLeaks.org and I at WikiActions.org (WikiLeaks.si) used Sweden's PRQ's servers. But Sweden and PRQ are not safe any more. Server for .onion SecureDrop should be somewhere Europe in countries leading the press freedom list and at hosting provider that can assure security and anonymity. OVH doesn't come in question because it doesn't allow use of Tor network on it's servers anymore.
33y6fjyhs3phzfjj.onion page
You must enable cookies to reach the actual .onion submit page, very big security and anonymity problem. This should go without cookies.
To do
When I'll have enough time I'll do thorough vulnerability and penetration test of SecureDrop https and .onion pages.
Conclusion
Sorry, but this is very bad implantation of SecureDrop! Guardian has a lot more to do until their SecureDrop is really secure and anonymous. This system is not ready for production yet!
BTW I have more then 20 years experience in IT security and privacy and was administrator of WikiActions.org (WikiLeaks.si) alternative WikiLeaks site for more than three years... If you need help let me know.
