- Fixes security vulnerabilty (severity=high) in access control on Document Interface (#974)
- Improved installation and setup documentation (#927, #907, #903, #900)
- Fixed PEP8 and other style issue (#926, #893, #884, #890, #885)
- Automatic torrc initialization in Tails via dotfiles persistence (#925)
- Fix bug in installing grsecurity kernel when using new Ubuntu 14.04.2 .iso (#919)
- Prevent sources from creating "empty" submissions (#918)
- Autoremove unused packages after automatic upgrade (#916)
- Remove the App Server (private) IP address from OSSEC alert email subject lines (#915)
- Handle custom header image as a conffile in the securedrop-app-code Debian package (#911)
- Upgrade path from 0.3pre (#908, #909)
- Remove offensive words from source and journalist word lists (#891, #901)
This is a high-level overview of some of the more significant changes between SecureDrop 0.2 and 0.3. For the complete set of changes, diff the tags.
- Reduce JS dependencies to JQuery (stable) only
- Add functional tests, increase unit test coverage
- Rewrite database layer (db.py) using SQLAlchemy declarative ORM
- Automate dev. setup with Vagrant and integrate with Travis CI
- Store more info in db and less on filesystem
- "flagged" sources
- metadata for new UI features (starring, etc.)
- metadata for simpler/more efficient views in journalist.py
- Do not set headers in the web app (handle by production config.)
- Add 2fac auth for journalist interface
- Allow OSSEC emails to be encrypted with admin GPG key
- Install app server, monitor server, Python dependencies, and custom configuration via deb packages
- UI refresh on source and journalist interfaces
- New UX for journalists:
- "quick filter" box for codenames
- "download unread" link
- star sources
- multi-select actions for sources (delete, star, unstar) and submissions (download, delete)
- more detailed source listings
- Normalize submission timestamps to that of the most recent submission to minimize metadata that could be used for correlation
- Handle journalist authentication in the Document Interface instead of relying entirely on Authenticated Tor Hidden Services.
- Document Interface supports two-factor authentication via Google Authenticator or Yubikey
- These logins are hardened in a manner similar to that of the
google-authenticator
PAM module: tokens may only be used once, logins are rate limited, etc. - If you are using TOTP, the window is expanded from 1 period to 3 in order to help the situation where the server and client's clocks are skewed
- These logins are hardened in a manner similar to that of the
- Add Admin Interface so privileged "admin" users may add, edit, or delete other users on the Document Interface
- Requests are automatically encrypted with an ephemeral key as they are buffered onto disk to mitigate forensic attacks
- The haveged "high water" mark has been raised to maintain a higher average level of entropy on the system and minimize the appearance of the "flag for reply" flow
- Secure removal (via
srm
) of data has been moved to an async worker to prevent hanging the interface when deleting large files or collections - New dedicated section of Source Interface for replies, instead of using flashed messages
- Change default codename length from 8 words to 7 words, maintains a sufficient security level while hopefully improving usability for sources
- Add recommendations for storing and memorizing the codename to the codename generation page
- Improve the quality of journalist designations generated by reducing the adjectives and nouns lists to a smaller subset of common words
- Use ntpd to continuously update the server time (especially important when using TOTP for two-factor authentication)
- Move Document Interface to port 80 so we don't have to keep remembering to type ":8080"
- We no longer ASCII-armor submissions when they are encrypted. This was unnecessary and bloated the size of the submissions, which is important to avoid because downloading large submissions over Tor is very slow.
- Flask now uses X-Send-File for downloads, which fixed some reported issues are large downloads not finishing or being corrupted.
- Add egress host firewall rules
- Add google-authenticator apache module and basic auth for access to document interface
- Encrypt bodies of OSSEC email alerts (add postfix+procmail to monitor server)
- Create apparmor profiles for chrooted interface Tor process
- Update interface apparmor profiles for changes to application code
- Change installation method to use Ansible playbook and deb packages
- Split securedrop repo into 3 separate repos for securedrop-specific code (the application, Python dependencies, and custom configuration) and the upstream packages that we maintain (OSSEC and the hardened grsecurity kernel for Ubuntu)
- Add variety of development and testing environments for developers and researchers to use with Vagrant
- Reduce OSSEC email alert noise through whitelisting errors that are reported by the default configuration but that we have investigated and determined to be safe to ignore
- Document a thoroughly tested network firewall configuration with pfSense
- Reboot the machine automatically every 24 hours to reduce the potential for plaintext to remain in memory
- Add KeePassX password database template and document its use for journalists and admins
- Add secure backup and recovery scripts
- Add migration scripts
- Major improvements to the installation and user documentation, including lots of detail, testing, and the addition of TOC
- Fix for flagging errors
- Validate journalist messages
- Add logging using standard Python library.
- Add delete collection
- Replace bcrypt with scrypt
- Clear referer on external links
- Set maximum request body size in CONFIG_OPTIONS
- Add security-related HTTP headers to Apache config
- Remove mysql database, replace w/ sqlite. Update sqlite apparmor profile.
- Add outbound iptables rule for source/document groups
- Various documentation improvements
- Remove javascript dependency in source interface
- Add warning to source interface about using javascript (with Gritter)
- Update to pycrypto 2.6.1
- Validate filenames and codenames
- Remove unsafe characters from codenames, remove diceware words that are not real words
- Rewrite source.py and journalist.py with Flask
- Add tests
- Flag sources for journalist reply to avoid DOS attack by generating many GPG keys
- Allow journalists to delete documents with SRM
- Add bulk download to journalist interface
- Add MySQL-python and SQLAlchemy dependency, db.py to perform database functions (ex: storing codenames)
- Remove option to have codenames with <7 words
- Use sqlite as default database
- Add support for theming
- bcrypt hash GPG passphrase for key stretching
- Merge source and journalist servers into a single app server
- Add apparmor profiles
- Remove puppet, add base_install.sh script
- Create interface-install.sh script to set up chroot jails
- Add Ubuntu dev-setup script
- Backup Tor private keys
- Move config files into install scripts directory
- Change SOURCE_IP to APP_IP
- Set ownership and permissions for application code
- Renamed DeadDrop to SecureDrop
- Redesigned source and document web interface
- Wrote detailed documentation
- Improved installation process
- Wrote unit & integration tests
- Improved codename wordlist, based on Diceware
- Use bcrypt instead of SHA
- Removed VPN, replaced with authenticated Tor hidden service
- Freedom of the Press Foundation taking over project
DeadDrop was originally written by Aaron Swartz.