The release of the next version of SecureDrop, 0.7.0, is scheduled for May 15, 2018 [updated]. We will send out another notification through this blog, Twitter, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s coming in SecureDrop 0.7.0?
For sources
- UI change: The Source Interface will make it clearer that SecureDrop accepts files of any type. (Issue, Pull Request)
- UI change: When sources access the Source Interface using the Orfox mobile web browser, a warning will be displayed suggesting they use the desktop Tor browser instead. The reason is that Orfox has not yet been audited, and does not offer all the anonymity protections the desktop browser does. (Issue, Pull Request)
For journalists
- New feature: If enabled by your SecureDrop administrator (see below), you will be able to receive a daily encrypted email notification informing you whether or not new submissions are available on your SecureDrop instance. This is only a yes/no notification for security reasons. (Issue, Pull Request)
For administrators
- New feature: You will be able to configure your SecureDrop servers to allow administration via SSH over your local network (rather than the Tor network). You should not enable this option unless you consistently have physical access to your SecureDrop servers. If you do consistently have physical access and are frustrated by the slowness of the Tor network, see below for instructions on how to enable this feature. (Issue, Pull Request)
- New feature / behavior change: You will be able to configure the time of day at which the SecureDrop servers reboot via
securedrop-admin sdconfig
(it was previously possible to set this time by manually editing a configuration file, which is now discouraged). See below for instructions on how to use this feature. (Pull Request) - New feature / behavior change: Once the SecureDrop code on the Journalist and Admin Workstations has been updated following the manual procedure described below, the workstation will automatically alert the user about any future SecureDrop-specific updates, and allow the user to perform the update through a graphical user interface. (Issue, Pull Request)
- New feature / behavior change: Any logo you upload for your SecureDrop instance will be automatically converted to PNG format. The logo will also be resized if it is too large, which is done to ensure that the Source Interface loads quickly. These changes only affect newly uploaded logo files. (Issue 1, Issue 2, Pull Request)
- Bugfix: On both new and existing SecureDrop installs, unnecessary Ubuntu default kernel packages will be correctly removed. (Issue 1, Issue 2, Pull Request 1, Pull Request 2)
- Bugfix: When
securedrop-admin
cannot reach the primary GPG keyserver, it will attempt to contact an alternative keyserver. This fixes the problem that the update would sometimes abort due to keyserver connection issues. (Issue, Pull Request) - Metadata minimization: To mitigate against timing analysis of SecureDrop submissions, timestamps will be stripped from the metadata of submission archives. Since the archives are encrypted, this metadata was previously only available on the Secure Viewing Station. (Issue, Pull Request)
What administrators will need to do
SecureDrop Application and Monitor Server code will be updated automatically.
To make use of the new features described in the following sections, and to activate the new updater on all Journalist and Admin Workstations, you have to follow the detailed, pre-0.6 procedure for updating your workstation SecureDrop code. First, ensure that you have set a Tails administrator password (documentation). Then, on the workstation to be updated, perform the following steps in a terminal.
cd ~/Persistent/securedrop
git fetch --tags
gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 0.7.0
The output should include the following two lines:
gpg: using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"
Please verify that each character of the fingerprint shown here matches what you see on the screen of your Admin Workstation. Once you have verified the signature and fingerprint, you can update to the latest release:
git checkout 0.7.0
./securedrop-admin setup
./securedrop-admin tailsconfig
The SecureDrop Updater user interface will now appear only when updates are needed when you boot the workstation. Users only need to click “Update Now” instead of performing the steps described above:
Please note that this only updates the SecureDrop code on the workstation. Tails upgrades still have to be performed separately.
Configuring the use of SSH over the local network
We strongly encourage you to keep the use of Tor for SSH connections enabled unless you have consistent physical access to your SecureDrop servers (see the documentation for background on why this is the default). If you do have physical access, and if Tor network issues are making SecureDrop administration difficult, you can disable the use of Tor for SSH connections as follows:
- Ensure that you have configured a Tails administration password (documentation). During the next steps, you will be prompted for the server sudo password and for the Tails sudo password.
- Within
~/Persistent/securedrop
, run./securedrop-admin sdconfig
and follow the prompts. For this functionality, the relevant prompt is “Enable SSH over Tor (recommended, disables SSH over LAN). If you respond no, SSH will be available over LAN only:" Enterno
. - Run
./securedrop-admin install
and wait for it to complete. - If you are prompted to run
./securedrop-admin install
again, please do so. - Run
./securedrop-admin tailsconfig
.
SSH should now be available over local network (and no longer over Tor). To re-enable SSH over Tor, run the same commands with the "Enable SSH over Tor" option set to yes
.
Configuring email alerts about new submissions
In order to configure this feature, you will need an email address that should receive alerts, a public GPG key to use for that address, and the fingerprint for that key.
On your Admin Workstation, copy the public key (e.g., journalist.pub
) to ~/Persistent/securedrop/install_files/ansible-base/
.
Within ~/Persistent/securedrop
, run ./securedrop-admin sdconfig
and follow the prompts. For this functionality, you will be prompted for the following values (default is none, as the functionality is disabled by default):
- Journalist public key (e.g.,
journalist.pub
) - Journalist GPG key fingerprint
- Journalist email address
Run ./securedrop-admin install
and wait for it to complete. The configured email address should now receive an encrypted notification email every 24 hours.
Configuring server reboot time
Within ~/Persistent/securedrop
, run ./securedrop-admin sdconfig
and follow the prompts. For this functionality, you will be prompted for “Daily reboot time of the server (24-hour clock)”. Specify the desired local time, e.g., type “18” for 6 PM. Then run ./securedrop-admin install
to apply the change to the servers.
Notice of future change: Disabling 2FA for TTY logins
Following the release of SecureDrop 0.7.0 on May 15, 2018, SecureDrop 0.8.0 is scheduled to be released on June 26, 2018. As part of version 0.8, we will remove support for two-factor-authentication for logins to the SecureDrop servers via a keyboard directly attached to the servers. 2FA provides no real security benefit in this context. (Issue)
For other changes anticipated in future releases, please see the SecureDrop Roadmap.
Questions and comments
If you have questions or comments regarding this release, please don't hesitate to reach out:
- Via our Support Portal, if you are a member (membership is approved on a case-by-case basis);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!
Updated May 3, 2018: The prompt for the "SSH over local network" feature was modified during final QA, and these instructions have been updated accordingly. The git checkout instructions were corrected to specify the full version number.
Updated May 7, 2018: The date of this release has been pushed forward one week, to May 15, 2018, to allow for more time to validate bugfixes made during final QA.
Updated May 15, 2018: The workstation update instructions were corrected to reflect a preference for performing the tag verification before the checkout.