You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This has been discussed in #92 (comment) - create a third party directory server to periodically scrape the SD instances out there, checking all active resources for malicious code injection using a standardized hashing mechanism. If an instance is modified, alert the SD instance owner of the change.
The entire SD application can live in a JS browser application, but the one component that would still have to be provided by the server is the GPG key of the instance. Thus the directory server should have a copy of the keys and check that the public key of the system is the same as well.
The text was updated successfully, but these errors were encountered:
I have a proposal for verifying and auditing journalist's public keys in the draft 1.0 Roadmap. @Hainish Would appreciate your feedback! It is quite different from the proposal here, but satisfies the same goals.
Yes, the forthcoming overhaul of securedrop.org will implement an automated scanner for both the Source Interface and the Landing Page for each known SecureDrop instance, similar in style to Secure The News. The development effort on the new scanner is ongoing, and we optimistically hope to ship in Q2 2018.
As such, I'm closing this issue, as the final pieces are close to completion, and no code changes will be required to this repository in order to finalize implementation.
This has been discussed in #92 (comment) - create a third party directory server to periodically scrape the SD instances out there, checking all active resources for malicious code injection using a standardized hashing mechanism. If an instance is modified, alert the SD instance owner of the change.
The entire SD application can live in a JS browser application, but the one component that would still have to be provided by the server is the GPG key of the instance. Thus the directory server should have a copy of the keys and check that the public key of the system is the same as well.
The text was updated successfully, but these errors were encountered: