If the leaker visits this page before opening the Tor Browser from a regular browser to copy the onion url, the whole thing is as safe as SSL as there will be a trail of the SSL connection just before the visit to SecureDrop. And they don't even explain to avoid it.<p>OPSEC is hard.
If anyone from WaPo visits here, you've got some typos on that page:<p>"Download and install the Tor browser bundle from Download and install the Tor browser bundle from <a href="https://www.torproject.org/"" rel="nofollow">https://www.torproject.org/"</a> should be "Download and install the Tor browser bundle from <a href="https://www.torproject.org/"" rel="nofollow">https://www.torproject.org/"</a><p>"You will be provided with a codename that you will use it to log in to check for replies from The Post." should not have the word "it".<p>Otherwise, great work! I'm really glad that you're doing this and featuring it prominently on your home page.
I worry that the Washington Post has unintentionally created a honeypot for leakers. I wonder if the Post has the resources to sufficiently secure it:<p>The requirement for security is to make successful attacks more expensive than they are worth for the attackers. (There is no perfect security, of course.)<p>How much is information leaked to the WP worth? It's information that can change the course of history; it could make war or peace; it could be worth billions or even trillions of dollars; it could simply change the course of the stock market or of one stock and be worth billions to an individual.<p>If I ran a state intelligence service, with the fate of my nation and all my citizens in my hands, I would be irresponsible not to invest in monitoring the Washington Post (and the NY Times, and others') "secure" tip line. If I ran an unscrupulous business, it would be worth it, if only for the information relevant to the stock market.
EDIT: Also, the information can change the course of elections and be a target of unscrupulous politicians.<p>I find it hard to believe that the Washington Post or any news organization has the resources to protect assets that valuable.
In case you don't have Tor installed and want to know what it looks like: <a href="https://imgur.com/GbwKfuG,D2aWi25,glApNg3" rel="nofollow">https://imgur.com/GbwKfuG,D2aWi25,glApNg3</a>
The Guardian has also released a secure drop platform:<p><a href="http://www.theguardian.com/technology/2014/jun/05/guardian-launches-securedrop-whistleblowers-documents" rel="nofollow">http://www.theguardian.com/technology/2014/jun/05/guardian-l...</a><p><a href="https://securedrop.theguardian.com/" rel="nofollow">https://securedrop.theguardian.com/</a>
Does anyone know what the codenames are like? If they are easy enough to remember, then they may be easy enough to brute-force?<p>I think this is a great concept, yet perhaps too little, too late (Journalists should know PGP and drop boxes like these should have been common already). I also worry a bit because of Washington Post's track record with leaks, of the top of my head:<p>- Washington Post was Snowden's first choice, but they put up enough demands for Snowden to move to The Guardian. [1]<p>- Washington Post, according to Assange, had access to the "Collateral Murder" video a whole year before WikiLeaks published their edited video. [2]<p>- Washington Post employs op-ed columnists that call for assassination of "criminally dangerous" leakers like Assange [3]<p>[1] <a href="http://nymag.com/daily/intelligencer/2013/06/nsa-leaker-shopped-his-story-around.html" rel="nofollow">http://nymag.com/daily/intelligencer/2013/06/nsa-leaker-shop...</a> [2] <a href="http://www.abc.net.au/foreign/content/2010/s3040234.htm" rel="nofollow">http://www.abc.net.au/foreign/content/2010/s3040234.htm</a> [3] <a href="http://www.washingtonpost.com/wp-dyn/content/article/2010/08/02/AR2010080202627.html" rel="nofollow">http://www.washingtonpost.com/wp-dyn/content/article/2010/08...</a><p>EDIT: More information on SecureDrop: <a href="https://pressfreedomfoundation.org/securedrop" rel="nofollow">https://pressfreedomfoundation.org/securedrop</a> and source here: <a href="https://github.com/freedomofpress/securedrop" rel="nofollow">https://github.com/freedomofpress/securedrop</a>
Tor hidden services are not bulletproof. Just as a really simple example, you can do network traffic analysis to find network nodes with one-way traffic to hosts without a correlated public service and deduce if a hidden service is nearby.<p>There are several exploits which have been used in the past to expose Tor hidden services, and several papers on theoretical ways to expose them. Many of these attacks can be used in reverse to expose the origin of a connection to a hidden service.<p>In the [not so] extreme case, the govt can always issue a National Security Letter to WaPo and scoop up any data it wants directly from the hidden service servers, similar to its Silk Road and Freedom Hosting takedowns.<p>The FBI TOR Exploit [ <a href="http://resources.infosecinstitute.com/fbi-tor-exploit/" rel="nofollow">http://resources.infosecinstitute.com/fbi-tor-exploit/</a> ]<p>Heartbleed used to reveal Tor hidden services [ <a href="https://blog.torproject.org/blog/openssl-bug-cve-2014-0160/" rel="nofollow">https://blog.torproject.org/blog/openssl-bug-cve-2014-0160/</a> ]<p>Hot or Not: Revealing hidden services by their clock skew [ <a href="http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf" rel="nofollow">http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf</a> ]<p>Tor Hidden Service Passive De-Cloaking [ <a href="http://blog.whitehatsec.com/tor-hidden-service-passive-de-cloaking/" rel="nofollow">http://blog.whitehatsec.com/tor-hidden-service-passive-de-cl...</a> ]
If all Post correspondents used SecureDrop to submit their stories that would be a start.<p>One would have to assume that all the traffic going to the server is logged by the NSA and anyone else who can manage it. If the traffic volume is low then timing correlation with even a large pool of suspects is simple. An active attacker can differentiate between the SSL connection from a web browser and one from a tor node, so the background SSL traffic to the Post would not provide cover.<p>I think it could be improved by using a mix network (eg mixminion) accessed over tor, rather than just tor.<p>Unfortunately the mixmaster/mixminion networks are currently too small to provide meaningful complexity. Large scale adoption by, eg, newspapers, is not technically hard and would significantly complicate the adversary problem.<p>I'd love to see more discussion of bitmessage and Pond (<a href="https://pond.imperialviolet.org/" rel="nofollow">https://pond.imperialviolet.org/</a>)<p>cf <a href="http://www.syverson.org/" rel="nofollow">http://www.syverson.org/</a>
This is brilliant, and a smart move for the WP, despite some of the criticism's below. I think it's a much needed, if romantic, idea that harkens back to the transparency of Wikileaks, and gives WP a great little heads up over some of the other papers. I wouldn't be surprised to watch the others follow suit soon.
Random question: has anyone attempted to build a Tor-like system (or bridge to the actual Tor network) using WebRTC?<p>Assuming you were able to avoid the "JavaScript crypto problem", would this be a good or bad idea?
Sometime in the near future, I predict that the US will require some form of photo I.D before using an internet kiosk. As usual, the spin will be to protect the children.
Wow, Tor is still a thing? We have confirmation that security agencies have taken over exit nodes and injected spyware before to track targets. I'm surprised anyone uses it. It's like the security lottery.