How do whistleblowers find out about a news organization’s SecureDrop? The most common answer is a landing page, an ordinary web page hosted by the organization operating a SecureDrop. It explains how sources can download the Tor browser, and how they can safely connect to the onion address of the organization’s SecureDrop service.
The landing page is also a potential target for adversaries whose goal is to identify sources, especially those who don’t use the Tor browser to visit it. Our documentation contains detailed recommendations regarding the configuration of landing pages, to offer the greatest possible protection for sources at the point of first contact. Among these are:
Using HTTPS to encrypt traffic from the source to the news organization, and enforcing its use through Strict-Transport-Security and the HSTS Preload List;
Suppressing referrers, to ensure that clicking any links on the landing page does not leak information to third parties;
Avoiding the use of revelatory subdomains (e.g., “leak.news-website.example”), because an adversary that can passively monitor network traffic can view the unencrypted domain name in DNS requests and during the setup of an HTTPS connection;
Avoiding the use of analytics, advertising, third party fonts or other resources that can be used for tracking visitors.
While we cannot verify whether news organizations follow all our recommendations, we have been automatically scanning landing pages for these and other issues since August 2018. After giving news organizations time to address common issues such as the use of subdomains, as of today, we are now displaying warnings on the SecureDrop directory entries for a subset of problems detected by our scanner.
Here is an example of a warning:
It is generally a good idea to use Tor for all SecureDrop-related activity, but it even more important when accessing SecureDrop landing pages that don’t follow best practices yet. We’d like to thank all the news organizations who have already responded to our outreach efforts and made improvements to their landing pages.
These warnings only cover a subset of our recommendations, and we will likely tweak them over time. To provide the greatest possible protection to sources, we recommend that news organizations follow the entirety of our recommendations. If you have any questions, please don’t hesitate to contact us:
via our Support Portal, if you are a member (membership is approved on a case-by-case basis);
via securedrop@freedom.press (GPG encrypted);
via our community forums.