|
|
|
|
|
|
by garrettr_
3427 days ago
|
|
|
(SecureDrop developer here). Obviously we agree, using a SecureDrop-specific subdomain makes traffic analysis trivial. Our deployment best practices [0] warn folks not to use subdomains. Sadly, since SecureDrop is decentralized, we cannot enforce this, and some organizations apparently find it very difficult to provision a separate path ("example.com/securedrop" instead of "securedrop.example.com"). for their SecureDrop landing page. [0]: https://docs.securedrop.org/en/stable/deployment_practices.h... |
|
|
misc.mydomain.com/securedrop misc.mydomain.com/pacman-game misc.mydomain.com/portraits-of-frieda-kahlo
Ideally you'd leave it at the top level since obviously whatever other random junk you put on the subdomain will be lower-traffic than the main domain, but at least here there's plausible deniability (I was just clicking on an easter egg that played pac-man!)