We’re pleased to announce that SecureDrop 2.4.0 has been released. Changes that journalists and administrators should be aware of are summarized in this blog post. A complete list of changes can be found on GitHub.
Tor Browser security issue
Tails has published an advisory for a serious security issue in Tor Browser affecting all versions of Tails. Administrators and journalists should disable JavaScript by setting Tor Browser’s security level to “Safest” until a fix is available (expected on May 31, 2022). If you are using Tor Browser in Tails for non-SecureDrop browsing, we recommend restarting Tor Browser before and after using it for SecureDrop.
What’s new in SecureDrop 2.4.0?
For sources
- Usability: The design of the Source Interface was overhauled, including: (Issue, Pull Request)
- Notification messages consistently have an accompanying heading and icon
- Use of new monochrome icons based on Material Design
- Improved support for right-to-left languages
- Simplified and updated warning to disable JavaScript
- Fixes for making tab focus properly visible and consistently ordering buttons
- Usability: Some potentially offensive words have been removed from the list that is used to generate codenames. (Issue, Pull Request)
- Localization: Translations for Portuguese (Portugal) have been added. Instructions for administrators on how to enable this locale are available in the upgrade guide.
For journalists and administrators
- Localization: When a configured user interface language is no longer supported by SecureDrop, administrators will now receive OSSEC alerts (instead of the application crashing). (Issue, Pull Request)
- Alerts: Administrators will no longer receive unactionable OSSEC alerts from “fwupd”, which is not used by SecureDrop. (Issue, Pull Request)
- Security: Protections against re-using two-factor authentication tokens have been strengthened. (Pull Request)
- Security: The SecureDrop signing key now has an updated expiry date of 2023-07-04. (Issue, Pull Request)
What administrators need to do
SecureDrop Application and Monitor Servers will be updated to SecureDrop 2.4.0 automatically within 24 hours of the release. As with previous releases, we recommend that you update your Tails workstations to the latest version of Tails and the latest version of SecureDrop. Please see our upgrade guide for instructions.
Acknowledgments
This release was made possible thanks to volunteer code contributions from Alban Diquet.
The translations for all supported languages were updated thanks to the work of many volunteers:
- Arabic: Ahmed Essam, Malcolm
- Catalan: Benet (BennyBeat) R. i Camps
- Czech: michaela-bot, slrslr
- German: Ettore Atalan
- Greek: Dimitris Maroulidis
- French: AO Localization Lab
- Icelandic: Oktavia, Sveinn í Felli
- Italian: Claudio Arseni, coronabond
- Norwegian: Øyvind Bye Skille
- Dutch: kwadronaut
- Portuguese, Brasil: Flávio José de Siqueira Cavalcanti Veras
- Portuguese, Portugal: deeplow, notmuchtohide
- Russian: Andrey
- Swedish: Jonas Waga
- Turkish: Kaya Zeren
- Chinese, Simplified: ff98sha
- Chinese, Traditional: Chi-Hsun Tsai, mengpangwang
Thanks to Chido Musodza and the Localization Lab for supporting this effort.
We are currently lacking translators for Hindi and Romanian, which are both at risk of being removed in the next SecureDrop release. If you speak either language or know someone who does, please see our instructions on contributing translations.
This release incorporates Freedom of the Press Foundation contributions by: Cory Francis Myers (localization manager), Erik Moeller (deputy CM), Kevin O'Gorman (release manager), Kunal Mehta (communications manager), Maeve Andrews, Michael Z (deputy RM) and Rowen S.
Questions and comments
If you have questions or comments regarding this release, please contact us:
- Via our Support Portal, if you are a member (membership is available to SecureDrop administrators on request);
- Via securedrop@freedom.press (GPG encrypted) for sensitive security issues (please use judiciously);
- Via our community forums.
We also encourage you to file non-sensitive issues you encounter in our GitHub repository (issue report form).
Thank you for using SecureDrop!