The SecureDrop team is currently working on an integrated SecureDrop Workstation that combines the previously separate Journalist Workstation and Secure Viewing Station into a single device, based on Qubes OS. This represents a potential major change to the SecureDrop architecture and threat model, which is why we have sought independent review of the technical choices we are making.
We are pleased to announce that Include Security, with direct funding from the Open Technology Fund, has completed an independent audit of the first alpha (developer-focused) release of the SecureDrop Workstation.
As the report notes, this audit was intentionally limited in scope:
The scope of the assessment was limited to a security review of the configuration and use of the Qubes OS as a workstation for journalists using the SecureDrop platform. An examination of Qubes OS or the entire SecureDrop platform was out of the scope of this assessment.
IncludeSec found no medium-risk, high-risk, or critical-risk issues as
part of their review. The auditors shared 5 low-risk findings and 2
informational findings in their report. Please see the full audit report (PDF) for details.
The SecureDrop team has met with IncludeSec to discuss these findings. As a result of that discussion, we have filed the following new issues:
Investigate disabling /rw customizability for sd-svs, other AppVMs
Display system alert recommending shutdown after 5 days of inactivity
Investigate use of sudo password to provide guardrails for journalist users
We would like to thank the IncludeSec team for its careful review, and OTF for funding this important work.We would also like to invite your feedback on the SecureDrop Workstation codebase. Please note that this is still a alpha-level codebase, and the project is not ready for production use yet. We encourage you to file issues as appropriate; you can also send an encrypted email to firstname.lastname@example.org (with our GPG key, fingerprint: 734F 6E70 7434 ECA6 C007 E1AE 82BD 6C96 16DA BB79).