Hacker News new | ask | show | jobs
by tptacek 3411 days ago
This is a trivial Flask file uploading application, with a "code name"-based feedback system, wrapping GnuPG's Python bindings, intended to be run on Tor.

The security it provides is marginal, but it's so simple that it's not the part of anyone's stack that's most likely to be compromised.

I think a significantly better version of this could be built. What makes doing that tricky is that you want to retain the almost hello-world simplicity of this app, because the big reason not to run something like this is the likelihood that the server itself will have flaws.

On the other hand, it's 2017, and you can also accept files over secure messengers.

Later

Amusingly, people seem to think that these are bad things to say about an application like SecureDrop.
6 comments
jashkenas 3411 days ago
We currently offer SecureDrop as one of the ways folks are offered to send in tips to The New York Times.

https://www.nytimes.com/tips

    > I think a significantly better version of this could be built. What makes doing that tricky [...]
Would you mind describing, in a few broad strokes, what a better SecureDrop would look like? What would be the main potential changes and improvements?
link
tptacek 3411 days ago
Yeah, I'll do that. Let me run thoughts past some other people first.
link
agd 3411 days ago
SecureDrop isn't just an application, it also encompasses the infrastructure setup and opsec procedures required for the submission system to function securely.
link
aleksag 3410 days ago
+1 It also teaches the receiving end how to receive, and work with sensitive materials in a more secure way. That has actually been the hardest part of the implementation we did; teaching the journalists how to treat the material received. We also tried to create a fairly informative page for the tipsters https://www.dn.no/staticprojects/2016/12/securedrop/ (in Norwegian)
link
homakov 3411 days ago
Agreed on unnecessary complexity, but it's not a trivial app. Quick scrolling through sources and we see dozens of endpoints and each is potentially vulnerable.

Trusting the server, developers, Flask (which is by no means a good choice for secure app, my word) etc... messengers is a better option for sure.

link
tptacek 3411 days ago
The endpoints don't do much, the app delegates most of its functionality to very well-known Python libraries, there's minimal backend, no account system... it's a pretty auditable piece of code. If you can't get a handle on the security of this thing, there's no web app you can get a handle on.
link
homakov 3411 days ago
There is account system too - journalists got passwords, sources got "code names"

Not huge, but much more complicated than it could be. For instance, it redefined CSRF protection in a weird way https://github.com/lepture/flask-wtf/blob/master/flask_wtf/c...

link
samat 3411 days ago
Securedrop is used by NYT-level companies. I thought using it is a no-brainer for any news media. Now I am having doubts :((
link
homakov 3411 days ago
Over complicated doesn't mean insecure, but the less code the better
link
kough 3411 days ago
OT: homakov and tptacek in the same thread <3
link
toomuchtodo 3411 days ago
> I think a significantly better version of this could be built.

I'd encourage you to help build a better version.

link
tptacek 3411 days ago
I think people think I'm saying something I'm not. The point of that paragraph isn't that SecureDrop is terrible; it's that attempts to improve it need to be mindful of the fact that SecureDrop's simplicity is an important part of why it's considered safe to run. The point is that there are a bunch of "features" you could add to this, including things that might ostensibly improve privacy and safety, but that you don't necessarily want to adopt a more complicated version of it.
link
toomuchtodo 3411 days ago
I don't disagree at all! I admit, the comment you replied to of mine was lazy. Let me expound:

You have a wealth of security experience. SecureDrop is an essential piece of infrastructure in today's reality. It would be beneficial if you contributed your experience as time permits and where applicable to ensure it remains secure if (when?) its functionality is extended.

Features are nice; remaining secure is mandatory.

link
tptacek 3411 days ago
Some of us are already talking to Garrett, who is plenty clueful on his own. :)

I think the misunderstanding (if it exists) is my fault, though; rereading, I probably shouldn't have used the word "significantly". I'll try to avoid adjectives first thing in the morning moving forward.

link
anc84 3411 days ago
Could you elaborate on what you consider lacking?
link
coldtea 3411 days ago
Privacy and security?
link
indolering 3411 days ago
> Amusingly, people seem to think that these are bad things to say about an application like SecureDrop.

People don't seem to understand what trusted-computing-base actually means.

link