The release of the next version of SecureDrop, 2.1.0, is scheduled for October 19, 2021. We will send out another notification through this blog, Twitter, Mastodon, and the support portal when the release is live. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.

What’s coming in SecureDrop 2.1.0?

For sources

• Accessibility: The Source Interface now uses more standards-compliant semantic HTML and ARIA annotations to improve accessibility for people with disabilities. (Issue, Pull Requests: 1, 2, 3, 4, 5, 6)

For journalists

• Tails updates: Automatic updates of the Tails operating system on Journalist and Admin Workstations are broken for Tails versions older than 4.19. SecureDrop will attempt to restore automatic update functionality automatically for affected workstations. We will provide additional instructions as part of the release. (Issue, Pull Request)

For administrators

• Security: The two-factor secret length for Journalist Interface user accounts has been increased from 80 to 160 bits. Newly created accounts will have a longer two-factor secret, which is compatible with 2FA apps like FreeOTP and Google Authenticator. Existing accounts will not be impacted until their two-factor secret is reset by you or by the user. (Issue, Pull Request)
• Security: If you have enabled HTTPS on the Source Interface, SecureDrop will now use the TLSv1.3 cipher suite. Your server configuration will be updated automatically. (Issue, Pull Request)
• Usability: Deleting a user now triggers a confirmation dialog even if JavaScript is disabled in Tor Browser. (Issue, Pull Request)
• Backups: You can now restore backups from a backup file already placed on the server (e.g., using rsync or an encrypted USB device). This is intended to help manage backups that are too large to reliably transfer over the Tor network. (Issue, Pull Request)
• Monitoring: OSSEC will no longer send alerts for certain errors logged by the fwupd firmware update tool, which is not currently supported. (Issue, Pull Request)
• Session management: Known issues with user session expiry have been fixed as part of a major refactoring, which also removed reliance on the scrypt module in favor of equivalent functionality from the cryptography package. (Issues: 1, 2; Pull Requests: 1, 2, 3)
• Dependency updates: The following dependencies have been updated as part of routine maintenance. (Pull Requests: 1, 2)
  • requests from 2.22.0 to 2.26.0
  • urllib3 from 1.25.10 to 1.26.6
  • Ansible from 2.9.21 to 2.9.26

What administrators will need to do

SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.1.0 automatically within 24 hours of the release. As with previous releases, we will provide instructions for performing the workstation updates at the time of the release.

Questions and comments

If you have questions or comments regarding this release, please contact us:

• Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
• Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
• Via our community forums.

We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).

Thank you for using SecureDrop!