Further security considerations when hosting a SecureDrop or Globaleaks server

Hash: SHA256

If you are a journalist organisation with a central office situated in a country that respects the role of journalists, then you may quite comfortably run a SecureDrop or Globaleaks server within the offices of your organisation and depend on journalistic privilege preventing governments from entering your offices and walking out with your secure dead drop servers, or forcing you to hand over ( in the case of SecureDrop where encrypting with a journalists GPG key is left up to the source ) the applications GPG key, or placing gag orders on you.

Be careful though, many states will selectively respect the rights of journalists depending on the size and power of the news network. For example even in Aotearoa New Zealand, the police have little qualms raiding the houses of independent journalists such was the case with investigative journalist Nicky Hager in 2014.

If your threat model means that keeping the location of your dead drop secret is also critical, then you should consider taking additional steps to protect your tor hidden service IP and therefore location from being discovered.

Hosting a secure dead drop:
Never run your SecureDrop or Globaleaks server on a VPS or any other form of remote hosting. There have been too many instances of virtual server vulnerabilities as well as malicious VPS providers. The most secure option is dedicated hardware in a secure premises.

Also avoid single point of failure services like load balancing methods which attempt to cloud host SecureDrop or Globaleaks servers. That also goes for applications that remote host the private keys. Avoid these.

Prevent guard node attacks:
There are a few types of attacks that target the relays which your SecureDrop or Globaleaks servers connects to. Their purpose is to deanonymise your server, and can also be used to attempt to identify who is connecting to your service.

To mitigate this attack you will have to consider running your own anonymous relays as dedicated entry nodes for your SecureDrop or Globaleaks server.

When these are safely configured, your SecureDrop or Globaleaks servers can then be set to now select its entry guard node only from those stipulated in the torrc file, and if these relays come under attack, your dead drop will just become unavailable rather than shift to relays that could potentially be under the control of an attacker.

Do not draw attention to your Tor Hidden Service:
Make sure the IP address of a Tor Hidden Service does not act in a way dissimilar to a standard user of Tor, the attacker will not be able to easily determine that there is a Tor Hidden Service running ( i.e do not run any other service on the IP of your Tor Hidden Service as these may draw attention to your specific IP address ).

It is also good practice however to run your SecureDrop or Globaleaks server on a separate internet connection than your organisations own corporate network connection.
Version: GnuPG v2