@Hainish had an interesting suggestion: to ship the SecureDrop directory in Tor Browser directly via a HTTPS everywhere SecureDrop ruleset channel.
We would:
At that point, when sources visit the landing page of the news organization, sources would be redirected to the onion URL of the SecureDrop that is listed in the ruleset.
@Hainish, let me know if I misunderstood anything or left out an important part.
See also relevant ticket on Tor Trac. Some initial thoughts follow:
This is a mitigation for the threat of a news organization's web server hosting the SecureDrop landing page being compromised. With this change, if the web server is compromised and the onion URL has been replaced with a malicious one, if the source is visiting the landing page using Tor, then the source will be redirected to the correct onion URL regardless.
Indeed, once landing pages are in the SecureDrop ruleset, we could have organizations update landing page text to indicate that Tor Browser will redirect them to the correct SecureDrop onion URL (else sources that visit the landing page before switching over to Tor may still go to the attacker-controlled onion URL).
Once #2951 is completed (migration to v3 onion services), sources will need to type in a significantly longer onion URL (e.g. when copying the onion URL from a newspaper/billboard/flyer/etc.). This redirect would make the experience smoother from the source perspective.
In the case where a news organization wants to cycle their onion URL, they must inform us rapidly and we must be in a position to quickly update the rulesets.
There is some potential user confusion when they get redirected to a potentially-scary-looking-onion URL. Without explanation, a user may think something is wrong.
We would need to do some user testing from a non-technical user perspective to scope the UX implications of these changes.
As a SecureDrop source, I want getting to the SecureDrop source interface to be as smooth and easy as possible.
Interesting thoughts.
Just chiming in with some input from a news org:
The landing pages at the moment usually serve as more than a manual redirect to the source interface.
Most landing pages also contain guidance to potential sources regarding the news org, source protection, opsec advice etc.
This is also part of the recommended landing page setup in the docs.
With an automatic redirect this will be lost for users visiting via Tor Browser.
Then we would have to include such content at the source interface level in some way.
Hey @redshiftzero, thanks for the write-up. Just a few clarifications:
- Create and sign a custom SecureDrop ruleset (with the SecureDrop release signing key)
This should be an RSA key that's generated and airgapped, not (for instance) a PGP key. I'm assuming the SecureDrop signing key is a PGP key?
At that point, when sources visit the landing page of the news organization, sources would be redirected to the onion URL of the SecureDrop that is listed in the ruleset.
I was thinking something like /^https?:\/\/theintercept\.com\.securedrop\/?$/ would redirect to the onion URL for that SecureDrop instance. So instead of auto-redirecting from the landing page, creating a short URL with a pseudo-TLD to automatically forward.
This would also have the advantage of quick recovery in case of necessary key rotation - for instance if a particular instance's key is compromised or we have to rotate all instances keys again.
@byeskille Brings up a great point about clear messaging for sources; in that respect, we may consider this work blocked by #3044.
I'm assuming the SecureDrop signing key is a PGP key?
yep!
we may consider this work blocked by #3044.
well bill's comment above addresses the (legit) concerns raised by @byeskille - since the landing page will have a link to a URL of the .securedrop for that news organization
I'm going to build out the CRUX UX for controlling update channels. For plausible deniability, it's obviously desirable if a SecureDrop update channel will be built into the Tor Browser build of HTTPS Everywhere. However this will allow us to do some testing and QA before the point where it's built into TB.
At the latest hackathon, we (@emkll et al.) discussed a bit the security implications of this change, which are:
.securedrop pseudo-TLD, then this makes trying to get people to visit malicious onions significantly harder, as they would first need to get the malicious onion included in the custom ruleset. These are new threats that we need to manage:
.securedrop.securedrop prior to using Tor Browser. In addition, users may start attempting to navigate to newsorg.com.securedrop to determine whether or not the organization is using SecureDrop, which would also produce a DNS request. Note that for non-Firefox based browsers, this is currently the case for .onion addresses, and we can only partially mitigate this threat (by discouraging links to onion services on SecureDrop landing pages).@redshiftzero
"* Other rulesets can introduce a malicious .securedrop" has always been true, also for .onion addresses. HTTPS Everywhere is already able to arbitrarily rewrite URLs in Tor Browser.
"* DNS requests to .securedrop pseudo-TLD are leaked" this can be mitigated by changing the URL to either [::1]/theintercept.com.securedrop or 0.0.0.0/theintercept.com.securedrop, since no DNS request is made for IP addresses. This will also remove the risk that currently exists of a Chrome user visiting the .onion address, which does send out a DNS request.
"* Sources trained not to check the onion URL" - I'm not certain why manually checking the onion URL would be necessary if we redirect via an update channel. This mitigates the threat of typo-squatters on .onion URLs, but if SecureDrop is the only entity (other than HTTPS Everywhere and Tor Browser itself, which is already the case) who can sign for .securedrop URLs and users are trained to leak via these URLs, that attack doesn't seem possible.
One additional advantage is that this will facilitate quick key rotation if needed (say a Heartbleed-style attack happens again or some subset of instances keys are compromised). Once the keys are rotated, the SecureDrop ruleset just has to be updated, signed, and posted. Within 24 hours all Tor Browser instances will have those rulesets. The next time a source visits 0.0.0.0/theintercept.com.securedrop they will be safely redirected to the new onion URL.
I've documented the process of creating and maintaining update channels:
https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md
Note: anything mentioning scope in the documentation is implemented but not yet launched.
I've added a corresponding issue on the Tor trac: https://trac.torproject.org/projects/tor/ticket/27551
New ticket on Tor side about this: https://trac.torproject.org/projects/tor/ticket/28005
I really love this idea, but am curious: how many Sources is such a feature likely to reach? Do most Sources really use these sorts of tools, yet? How far has their reach extended outside the community of IFF geekery?
Again: I adore this idea... but it feels like a bit of a stretch to me, speculatively, that enough of a percentage of Sources would think to look for SD instances, there, for what it would cost to build this (vs other things Sources need).
Thoughts? Very open to learning about things I'm likely not seeing, in this.
ADDTL: If the gist of this feature is to enable something on the Tor side to do the equivalent of URL forwarding from memorable URLs to SD instances that would be easier for Sources to remember, THAT could be awesome. I may just not be understanding what I've read about this issue, too.
Tor has made progress on this and has a PoC done in https://trac.torproject.org/projects/tor/ticket/28005
I've added suggested subtasks for us in the original post above. There's a first version of a SecureDrop-directory ruleset channel working using the scripts here. Channel for now is served at https://redshiftzero.github.io/securedrop-httpse/, signing pub key is at https://raw.githubusercontent.com/redshiftzero/securedrop-httpse/master/key.jwk.
For our next sprint after the beta workstation kicks off (3/18-4/1) we'll implement https://github.com/freedomofpress/securedrop.org/issues/675, do some more testing and iterate on the rulesets as needed (and transfer the above repo to freedomofpress).
URL forwarding from memorable URLs to SD instances that would be easier for Sources to remember, THAT could be awesome
that's the idea exactly! Using the channel above one can type in something like www.buzzfeednews.com.securedrop.tor.onion (the specific URL is not decided upon yet, it may become shorter) and will get redirected to the corresponding onion URL. Since in SecureDrop 1.0 we moved to the v3 56 character onion URLs by default for new instances it's a big improvement.
Next steps discussed at sprint planning today, for the 4/2-4/15 sprint:
For posterity, recapping the URL schema options we discussed:
We append .securedrop.tor.onion to the domain of the news organization.
Example 1:
theintercept.com becomes theintercept.com.securedrop.tor.onion
Example 2:
abc.net.au becomes abc.net.au.securedrop.tor.onion
Pros:
Cons:
We append .securedrop.tor.onion to the domain of the news organization if the TLD of the news organization domain is .com, we omit it, else we include it as in option A.
Example 1:
theintercept.com becomes theintercept.securedrop.tor.onion
Example 2:
abc.net.au becomes abc.net.au.securedrop.tor.onion
Pros:
Cons:
We maintain a mapping ourselves, and never include the TLD.
Example 1:
theintercept.com can become theintercept.securedrop.tor.onion or even intercept.securedrop.tor.onion
Example 2:
abc.net.au can become abc.securedrop.tor.onion
Pros:
Cons:
We decided to go with option A for now.
We made an officially signed version with only orgs that have opted-in to the ruleset, and thanks to team infra we have our official ruleset deployed on https://securedrop.org/https-everywhere/.
Further suggestions should go as tickets in https://github.com/freedomofpress/securedrop-https-everywhere-ruleset, closing this ticket for now.
If you are a news org viewing this and want to be onboarded and you haven't had a message yet in the support portal, please file a ticket in support.freedom.press.
We're instructing people not to advertise these URLs yet to sources as this is still experimental.
Most helpful comment
Interesting thoughts.
Just chiming in with some input from a news org:
The landing pages at the moment usually serve as more than a manual redirect to the source interface.
Most landing pages also contain guidance to potential sources regarding the news org, source protection, opsec advice etc.
This is also part of the recommended landing page setup in the docs.
With an automatic redirect this will be lost for users visiting via Tor Browser.
Then we would have to include such content at the source interface level in some way.