We’re pleased to announce that SecureDrop 2.1.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s new in SecureDrop 2.1.0?
For sources
- Accessibility: The Source Interface now uses more standards-compliant semantic HTML and ARIA annotations to improve accessibility for people with disabilities. (Issue, Pull Requests: 1, 2, 3, 4, 5, 6)
For journalists
- Tails updates: Automatic updates of the Tails operating system on Journalist and Admin Workstations are broken for Tails versions older than 4.19. SecureDrop will attempt to restore automatic update functionality automatically for affected workstations. We will provide additional instructions as part of the release. (Issue, Pull Request)
For administrators
- Security: The two-factor secret length for Journalist Interface user accounts has been increased from 80 to 160 bits. Newly created accounts will have a longer two-factor secret, which is compatible with 2FA apps like FreeOTP and Google Authenticator. Existing accounts will not be impacted until their two-factor secret is reset by you or by the user. (Issue, Pull Request)
- Security: If you have enabled HTTPS on the Source Interface, SecureDrop will now use the TLSv1.3 cipher suite. Your server configuration will be updated automatically. (Issue, Pull Request)
- Usability: Deleting a user now triggers a confirmation dialog even if JavaScript is disabled in Tor Browser. (Issue, Pull Request)
- Backups: You can now restore backups from a backup file already placed on the server (e.g., using
rsyncor an encrypted USB device). This is intended to help manage backups that are too large to reliably transfer over the Tor network. (Issue, Pull Request) - Monitoring: OSSEC will no longer send alerts for certain errors logged by the
fwupdfirmware update tool, which is not currently supported. (Issue, Pull Request) - Session management: Known issues with user session expiry have been fixed as part of a major refactoring, which also removed reliance on the
scryptmodule in favour of equivalent functionality from thecryptographypackage. (Issues: 1, 2; Pull Requests: 1, 2, 3) - Dependency updates: The following dependencies have been updated as part of routine maintenance. (Pull Requests: 1, 2)
requestsfrom 2.22.0 to 2.26.0urllib3from 1.25.10 to 1.26.6- Ansible from 2.9.21 to 2.9.26
What administrators need to do
SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.1.0 automatically within 24 hours of the release. As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop. Please see our upgrade guide for instructions.
Acknowledgments
This release was made possible thanks to volunteer code and documentation improvements by Alban Diquet, Andrew Northall, Giovanni Pellerano, and Prateek Jain.
The translations for all supported languages were updated thanks to the work of many volunteers:
- Catalan: Benet (BennyBeat) R. i Camps, John Smith
- Czech: michaela-bot
- German: Ettore Atalan
- Greek: Adrian, Dimitris Maroulidis
- Spanish: Zuhualime Akoochimoya
- French: AO Localization Lab
- Icelandic: Oktavia, Sveinn í Felli
- Italian: Claudio Arseni, bovirus
- Norwegian: Øyvind Bye Skille
- Slovak: 1000101, Katarina Kasalova
- Swedish: Jonas Waga
- Turkish: Kaya Zeren
- Chinese (Simplified): ff98sha
- Chinese (Traditional): mengpangwang, Chi-Hsun Tsai
Thanks to Erin McConnell and the Localization Lab for supporting this effort.
This release incorporates Freedom of the Press Foundation contributions by: Maeve Andrews, Allie Crevier, Kushal Das, John Hensley, Erik Moeller (communications manager), Kevin O’Gorman (release manager), Rowen S., and Conor Schaefer (deputy release manager & localization manager). It incorporates contributions by Cory Myers, whose work is supported by Internews, and who acted as deputy localization manager for this release.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!