Choosing the right secure submission system for your organisation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To begin, first read @yawnbox’s excellent piece on this.

Choosing which secure source submission platform is right for you. I want to add some additional thoughts on the differences ( while hopefully not regurgitating too much of what has already been covered by @yawnbox )

SecureDrop

SecureDrop in my opinion is designed and best suited with medium to large sized news media organisations in mind. If you are an established news media organisation and are seeking the most secure anonymous platform to manage newsroom sources, then you should look at deploying a SecureDrop platform.

SecureDrop requires the greater investment in equipment to meet its minimum requirements, and experienced Linux administrators to maintain and operate.

With SecureDrop, the administrator must be in-house.

SecureDrop does not require the source to have a javascript enabled TorBrowser in order to interact with the server and upload documents.

SecureDrop does offer the source the option to manually pre-encrypt files with the journalists PGP keys before uploading, without this though, a file is still encrypted with the applications own dedicated PGP key. This means person/persons with the pass phrase of the application’s PGP key can decrypt uploaded files.

SecureDrop’s technical strength is it’s NSA level hardened threat model reducing the threat surface to the bare minimum. The security practices stipulated in the SecureDrop Wiki documentation should be used by all journalists when handling secure information.

However at a certain level it also depends on a country’s ruling government to respect the right of journalists. For example a government who does not respect these rights could force the administrators to hand over the application’s PGP keys thus being able to decrypt any files still resident on the SecureDrop or future submissions if the organisation is forced to continue running the SecureDrop under duress.

Globaleaks

Globaleaks was designed to scale from a single journalist/receiver through to as many journalists/receivers as your server can handle, using the least amount of equipment -> a single webserver ( and an optional additional hardware firewall – my professional recommendation ).

Globaleaks requires the source to have a javascript enabled TorBrowser.

A Globaleaks administrator does not have to be in-house in order to configure administrative settings.

A Globaleaks source files are first temporarily pre-encrypted with a symmetric AES key before being encrypted with the journalists own PGP key ( recommended deployment method ). Therefore at no time are the files stored on the server in unencrypted form. This also means only *that* specified journalist can decrypt files sent to them.

An encrypted email notification can be configured to be sent to the corresponding journalist/receiver when a submission is made.

Globaleaks server can be more securely deployed in a country/region that has no respect for journalist privilege, or used for non-journalist related deployments using standard compartmentalisation methods. If the server location is compromised, a state actor cannot get access to encrypted files. Getting access to source content files is only possible if they de-anonymise the journalists/receivers, AND get access to their PGP private key pass phrase, in which case only the files of the individual journalists/receivers that are still resident on the server will be compromised, rather than all files.

Common to Both

Both platforms deploy on the Tor network to provide a layer of anonymity and end to end encryption as well as some protection of the location of the secure dead drop systems.

Both allow for multiple receivers/journalists.

Like any webserver system, they need an administrator to keep the physical equipment’s OS and applications up to date.

Both Globaleaks and SecureDrop can be deployed into an already compromised network, as is the case with many established news organisations, this is due to the use of the SecureDrop recommended pFSense hardware firewall being used with either choice.

Drawbacks

Many journalists still struggle with basic encryption issues. Using TAILS correctly and with persistence configured correctly, takes time to learn, and get used to if you do not use it regularly. PGP crypto is difficult to get right and clunky to use.

SecureDrop

So as is the case with some deployments of SecureDrop, often the administrators or an onsite security specialist is employed to take on the role of “file decrypter” rather than the journalists doing this function. Once decrypted, files are analysed then encrypted by this person with the PGP keys of the nominated journalist before forwarding to them.

Globaleaks

Globaleaks documented security requirements for journalists/receivers is low. Therefore I encourage journalists/receivers to use the same standards required by SecureDrop journalists/receivers. In security best practices they would only ever access the Globaleaks journalists/receivers login area via a dedicated TAILS laptop and decrypt files via a dedicated airgapped ( never used on the internet or networked ) TAILS laptop.

Globaleaks also demands sources enable javascript in their TorBrowser’s. This can be off-putting for the more security minded sources. Also some browsers like Orfox do not have the ability to enable javascript so are therefore blocked from interacting with a Globaleaks server.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+K10AAoJEL7YCbL0gxCTtLoQAMWlWO7ZFhjwxIBxryvXS+A9
0W9EkOReT8kyT+3FP566so/3E9fGM/jZDH78XQH6sYaGeJzONGnTVKMxcJtu4y3D
efZK2Jna4Fau9MorHQPmWxT11SrC9pSoeUlakhD3r71A54j+NtTU8F/2U/6ZQDKd
4qvhK3RHS/rfMn5wtWfhgdLD5THiEoGe5Qqu7uJh70J4Dc4UAjqVtbZGDf4ZylAD
ufRztLZ7YKfBj34E0cuySn9jxUBq2Lp7qIqQbrhGS0c/Atp5NHwjJl8XOm/6ZBSC
ErvGwcies6/7MFAr9PPX0UCNgbIjKgzhPzc8LxpzAR0j7MhkVWFQLCHOunKQ/b0Y
hKdJtc6Yje0fPQgKD7yiOlrp3YFePC37qPtC+EUEniAPf/qBPcWi1tnKPA8xnyHI
rIZvntqd0UY7YfhZmsJxaNk1AWbI1feNrarO9vSHfWwL9EVv6HYXbX8j/ZHuophy
m2tq81w7UUQxpbCwx4aEaSPHK1qVTkFXouzDWZ7UPBmVtt1lBbg5LBW7h4mG8z/y
ck5aGrCUjlmyevgeLk97mMeU7jwBjsii6Ai+VE2R/ZwQBv5gnkFq0DVAv91YB0Sq
HasCh4Ty0TRfcyZVtW9ux6DWSxQ7V2p0zZE6GnZpIMT1ZGJGQxz0rLo3UVGhXcZO
8JY9c3UqwcEf6eDls0Jl
=bXa6
-----END PGP SIGNATURE-----