We’re pleased to announce that SecureDrop 2.3.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
What’s new in SecureDrop 2.3.0?
For sources
- Usability: The language which explains the codename that is assigned to sources after they log in for the first time has been simplified. Evidence from user research indicates that the previous language was potentially confusing and ambiguous. (Issue, Pull Request)
- Accessibility: Users of screen readers and other assistive devices can now consistently skip to notification messages and main content using “skip to” links. This also fixes an issue with notifications sometimes being scrolled out of view. (Issue, Pull Requests: 1, 2)
- Internationalization: Two phrases in the Source Interface that were always shown in English are now translatable. (Issues: 1, 2, Pull Requests: 1, 2)
- Bugfix: The warning message instructing users to update their security level has been updated to reflect changes in the Tor Browser user interface. (Issue, Pull Request)
- Bugfix: Replies with very long words now wrap correctly instead of overflowing. (Pull Request)
For journalists and administrators
- Anti-spam features: This release of SecureDrop includes several improvements to mitigate spam submissions:
- You can optionally configure a minimum initial message length. If a source submits only a message below this length, it will be rejected.
You can also optionally prevent sources from submitting their seven word codename as part of an initial submission. (Issues: 1, 2, Pull Request) - The submission form on the Source Interface now contains a hidden field intended to detect and prevent simple automated submissions. It is not expected to impact human submitters. (Issue, Pull Request)
- SecureDrop will now reject attempts to connect to the Source Interface via a Tor proxy service such as a Tor2Web gateway. This is intended to prevent spambots that crawl the clearnet from connecting to SecureDrop. It also serves as a security measure to protect sources. (Issues: 1, 2, 3 , Pull Requests: 1, 2, 3)
- Relatedly, to prevent crawling of clearnet copies by search engines, SecureDrop now serves a `robots.txt` file and meta tags to disallow bots. (Issue, Pull Request)
- You can optionally configure a minimum initial message length. If a source submits only a message below this length, it will be rejected.
What administrators need to do
SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.3.0 automatically within 24 hours of the release. As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop. Please see our upgrade guide for instructions.
Acknowledgments
The translations for all supported languages were updated thanks to the work of many volunteers:
- Arabic: Malcolm
- Catalan: Benet (BennyBeat) R. i Camps, Joan Montané
- Czech: 1000101, slrslr
- German: Ettore Atalan, Martin Trebuch, Stephen Brookman
- Greek: Dimitris Maroulidis
- Spanish: Adolfo Jayme-Barrientos, Allan Nordhøy, Anatoli, Daniel Arauz, Zuhualime Akoochimoya
- French: AO Localization Lab, Gonzalo Bulnes Guilpain
- Icelandic: Oktavia, Sveinn í Felli
- Italian: lsd-cat
- Norwegian: Øyvind Bye Skille
- Portuguese, Brasil: d fau
- Russian: Adham Kurbanov, Andrey, Bogdan Kulynych
- Slovak: 1000101
- Swedish: Jonas Waga
- Turkish: Kaya Zeren
- Chinese, Simplified: ff98sha
- Chinese, Traditional: Chi-Hsun Tsai
Thanks to Muna Hemoudi and the Localization Lab for supporting this effort.
This release incorporates Freedom of the Press Foundation contributions by Conor Schaefer, Cory Francis Myers (localization manager), Allie Crevier (communications manager), Erik Moeller (deputy CM), Kevin O'Gorman (release manager), Kunal Mehta (deputy RM), and Michael Z..
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!