We are pleased to announce the release of SecureDrop 0.7.0. This release includes support for administering SecureDrop servers over the local network (as opposed to using Tor), and for enabling a minimalist daily email notification about new submissions. These and other changes that journalists and administrators should be aware of are summarized below. A complete list of changes can be found on GitHub.

What’s new in SecureDrop 0.7.0?

For sources

• UI change: The Source Interface makes it clearer that SecureDrop accepts files of any type. (Issue, Pull Request)
• UI change: When sources access the Source Interface using the Orfox mobile web browser, a warning will be displayed suggesting they use the desktop Tor browser instead. The reason is that Orfox has not yet been audited, and does not offer all the anonymity protections the desktop browser does. (Issue, Pull Request)

For journalists

• New feature: If enabled by your SecureDrop administrator (see below), you can choose to receive a daily encrypted email notification informing you whether or not new submissions are available on your SecureDrop instance. This is only a yes/no notification for security reasons. (Issue, Pull Request)

For administrators

• New feature: You can configure your SecureDrop servers to allow administration via SSH over your local network (rather than the Tor network). You should not enable this option unless you consistently have physical access to your SecureDrop servers. If you do consistently have physical access and are frustrated by the latency of the Tor network, see below for instructions on how to enable this feature. (Issue, Pull Request)
• New feature / behavior change: You can configure the time of day at which the SecureDrop servers reboot via securedrop-admin sdconfig (it was previously possible to set this time by manually editing a configuration file, which is now discouraged). See below for instructions on how to use this feature. (Pull Request)
• New feature / behavior change: Once the SecureDrop code on the Journalist and Admin Workstations has been updated following the manual procedure described below, the workstation will automatically alert the user about any future SecureDrop-specific updates, and allow the user to perform the update through a graphical user interface. (Issue, Pull Request)
• New languages: SecureDrop is now available in Russian and Hindi. You can enable these languages or any other supported languages following our documentation.
• Bugfix: On both new and existing SecureDrop installs, unnecessary Ubuntu default kernel packages will be correctly removed. (Issue 1, Issue 2, Pull Request 1, Pull Request 2)
• Bugfix: When securedrop-admin cannot reach the primary GPG keyserver, it will attempt to contact an alternative keyserver. This fixes the problem that the update would sometimes abort due to keyserver connection issues. (Issue, Pull Request)
• Bugfix: Images in file formats other than PNG are now rejected for instance logo uploads. Previously, file formats other than PNG were silently renamed. The previously announced feature for automatically converting/resizing logos has been temporarily backed out and will be included in a future release. (Issue, Pull Request)
• Bugfix: The SecureDrop source interface now uses the Referrer-Policy "same-origin" instead of "no-referrer". This fixes a problem that document submissions failed for some instances that use HTTPS certificates. (Issue, Pull Request)
• Metadata minimization: To mitigate against timing analysis of SecureDrop submissions, timestamps will be stripped from the metadata of submission archives. Since the archives are encrypted, this metadata was previously only available on the Secure Viewing Station. (Issue, Pull Request)

What administrators need to do

SecureDrop Application and Monitor Server code will be updated automatically.

To make use of the new features described in the following sections, and to activate the new updater on all Journalist and Admin Workstations, you have to follow the detailed, pre-0.6 procedure for updating your workstation SecureDrop code. First, ensure that you have set a Tails administrator password (documentation). Then, on the workstation to be updated, perform the following steps in a terminal.

cd ~/Persistent/securedrop
git fetch --tags
gpg --recv-key "2224 5C81 E3BA EB41 38B3 6061 310F 5612 00F4 AD77"
git tag -v 0.7.0

The output should include the following two lines:

gpg:                using RSA key 22245C81E3BAEB4138B36061310F561200F4AD77
gpg: Good signature from "SecureDrop Release Signing Key"

Please verify that each character of the fingerprint shown here matches what you see on the screen of your Admin Workstation. Once you have verified the signature and fingerprint, you can update to the latest release:

git checkout 0.7.0
./securedrop-admin setup
./securedrop-admin tailsconfig

The SecureDrop Workstation Updater user interface will now appear if updates are needed when you boot the workstation. Users only need to click “Update Now” instead of performing the steps described above:

Please note that this only updates the SecureDrop code on the workstation. Tails upgrades still have to be performed separately.

Configuring the use of SSH over the local network

By default, SSH administrative access to SecureDrop servers will continue to be routed through the Tor network. We do not recommend changing this default setting unless you have consistent physical access to your SecureDrop servers (see the documentation for background on why this is the default). If you do have physical access, and if Tor network issues are making SecureDrop administration difficult, you can disable the use of Tor for SSH connections as follows:

1. Ensure that you have configured a Tails administration password (documentation). During the next steps, you will be prompted for the server sudo password and for the Tails sudo password.
2. Within ~/Persistent/securedrop, run ./securedrop-admin sdconfig and follow the prompts. For this functionality, the relevant prompt is “Enable SSH over Tor (recommended, disables SSH over LAN). If you respond no, SSH will be available over LAN only:" Enter no.
3. Run ./securedrop-admin install and wait for it to complete.
4. If you are prompted to run ./securedrop-admin install again, please do so.
5. Run ./securedrop-admin tailsconfig .

SSH should now be available over local network (and no longer over Tor). To re-enable SSH over Tor, run the same commands with the "Enable SSH over Tor" option set to yes.

Configuring email alerts about new submissions

Before enabling this feature, please read our advisory regarding the recently disclosed EFAIL vulnerability, which impacts the integration of OpenPGP email decryption with some mail clients.

In order to configure this feature, you will need an email address that should receive alerts, a public GPG key to use for that address, and the fingerprint for that key.

On your Admin Workstation, copy the public key (e.g., journalist.pub) to ~/Persistent/securedrop/install_files/ansible-base/.

Within ~/Persistent/securedrop, run ./securedrop-admin sdconfig and follow the prompts. For this functionality, you will be prompted for the following values (default is none, as the functionality is disabled by default):

• Journalist public key (e.g., journalist.pub)
• Journalist GPG key fingerprint
• Journalist email address

Run ./securedrop-admin install and wait for it to complete. The configured email address should now receive an encrypted notification email every 24 hours.

Configuring server reboot time

Within ~/Persistent/securedrop, run ./securedrop-admin sdconfig and follow the prompts. For this functionality, you will be prompted for “Daily reboot time of the server (24-hour clock)”. Specify the desired local time, e.g., type “18” for 6 PM. Then run ./securedrop-admin install to apply the change to the servers.

Notice of future change: Disabling 2FA for TTY logins

SecureDrop 0.8.0 is scheduled to be released on June 26, 2018. As part of version 0.8.0, we will remove support for two-factor-authentication for logins to the SecureDrop servers via a keyboard directly attached to the servers. 2FA provides no real security benefit in this context. (Issue)

For other changes anticipated in future releases, please see the SecureDrop Roadmap.

Questions and comments

If you have questions or comments regarding this release, please don't hesitate to reach out:

• Via our Support Portal, if you are a member (membership is approved on a case-by-case basis);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!

Acknowledgments

This release includes volunteer code contributions from A. J. Bahnken, Ayush Dwivedi, Allan Nordhøy, Loïc Dachary, Giovanni Pellerano, Hariharan Java, heartsucker, and Nat Welch.

The translations for all supported languages were updated thanks to the work of many volunteers:

• Arabic: Ali Boshanab, Jennifer Helsby, Ouss, Ahmad Gharbeia, ButterflyOfFire., Gabriele Kahlout, Thalia Rahme, kwadronaut, Jasmine Khalil, Ramy Raoof, Erin McConnell, Scharik Yousif
• German: Anna Skaja, Ettore Atalan, Eric H., kwadronaut
• Spanish: Jose, Pablo Di Noto, Allan Nordhøy, Freddy Martinez, Daniel Arauz, Camille Fassett, Anatoli
• French: Alain-Olivier, Jean-Marc Manach, Michal Čihař, David, Loïc Dachary
• Italian: Manuel D’Orso, Claudio Arseni, Beatrice Martini
• Norwegian: Øyvind Bye Skille, Allan Nordhøy
• Dutch: Thom, Anne M, kwadronaut, Yarno Ritzen
• Portuguese: Cecília do Lago, Cláudio Carvalho, communiaa, Jonas B. R, Erin McConnell, Bernardo Tonasse
• Turkish: T. E. Kalaycı, Volkan, tekrei
• Chinese: foolfitz, H.-L. Lee, Jin Lin Wright, Shih-Chieh Ilya Li, Cheng-Chia Tseng, Chi-Hsun Tsai

Two new languages are now officially supported:

• Hindi: Abhishek Jaiswal, Subham Banga, Drashti, Dev Singh, Muhammad Usman
• Russian: Andrey, Maria Ovsyannikova, Eric H., Adham Kurbanov