On Wednesday afternoon, vulnerability and exploit research firm Exodus Intelligence disclosed a security vulnerability that would allow an attacker to deanonymize a user of Tails, the operating system that many journalists rely on to communicate securely with sources and that we have written about before. Tails is also integral to SecureDrop, our open-source whistleblower submission system, so we wanted to clarify if and how the vulnerability affects users of this system.
The vulnerability lies within the I2P software, which is bundled with Tails by default and can be used to connect to an alternative anonymity network. For this attack to work, a user would have to manually start the I2P software and view content that the attacker controls (e.g. by being tricked into visiting a specific website). Journalists and sources using Tails to access SecureDrop are not vulnerable to this attack unless they manually start the I2P software.
In a post published Thursday evening, the Tails developers suggest you protect yourself further by completely removing the I2P software every time you start the operating system. To do so, set an administration password and run the following command in the terminal: sudo apt-get purge i2p
This episode also shows why it's vital that we continue to support free software projects such as Tails, so they have enough funding to identify and fix potential vulnerabilities quickly. Currently, we are crowd-funding for four such free and open-source tools, including Tails and the Tor Project. Please consider donating to support these tools that can better protect the communications of journalists and sources.
If you have any questions, please email firstname.lastname@example.org.