Interest Article

Advisory: SecureDrop is no longer accepting submissions. Now what?

May 1, 2019

As of May 1, 2019, Ubuntu 14.04 (Trusty) has reached End of Life. SecureDrop instances running Trusty will no longer receive security updates for operating system packages, the kernel, or SecureDrop itself.  This means that a sufficiently severe vulnerability discovered in any of those components may permit an adversary to compromise SecureDrop servers running Trusty.

Support for Ubuntu 16.04 (Xenial) was added to SecureDrop in February 2019, and documentation and support for the Xenial upgrade process was offered to maintainers of all known instances.

For security reasons, the Source Interfaces of SecureDrop instances that have not yet been upgraded to Xenial have been disabled, and will no longer accept submissions. To restore service, we recommend that instance administrators reinstall SecureDrop on new or existing hardware, without restoring a backup from the original instance.

What this means for sources

If you were in contact with an organization via SecureDrop, and you find it disabled before you have established another communications channel to use, we recommend that you wait until their new instance is set up and advertised via their landing page or the SecureDrop directory before resuming contact.

Note that if the organization follows the recommended procedure, their Source Interface .onion address will change, and existing codenames will no longer work.

We recommend against communicating with an organization by other means if you have previously exclusively used SecureDrop. Given that they have no way of linking your codename to your submissions, you should not provide it to anyone who asks.

What this means for journalists and administrators

You should download any submissions that you want to keep via the Journalist Interface as soon as possible, and then either securely dispose of your SecureDrop servers’ storage or reuse the hardware for your new instance. Please see our instructions for upgrading to Ubuntu 16.04 after April 30 for more information.

If you maintain a SecureDrop instance, and have questions or comments regarding this process, please don’t hesitate to reach out:

  • via our Support Portal, if you are a member (membership is approved on a case-by-case basis);

  • via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);

  • via our community forums.

Return to News