Skip to content

Latest commit

 

History

History
147 lines (127 loc) · 7.54 KB

changelog.md

File metadata and controls

147 lines (127 loc) · 7.54 KB
Raw

Changelog

0.3.2

  • Fixes security vulnerabilty (severity=high) in access control on Document Interface (#974)

0.3.1

  • Improved installation and setup documentation (#927, #907, #903, #900)
  • Fixed PEP8 and other style issue (#926, #893, #884, #890, #885)
  • Automatic torrc initialization in Tails via dotfiles persistence (#925)
  • Fix bug in installing grsecurity kernel when using new Ubuntu 14.04.2 .iso (#919)
  • Prevent sources from creating "empty" submissions (#918)
  • Autoremove unused packages after automatic upgrade (#916)
  • Remove the App Server (private) IP address from OSSEC alert email subject lines (#915)
  • Handle custom header image as a conffile in the securedrop-app-code Debian package (#911)
  • Upgrade path from 0.3pre (#908, #909)
  • Remove offensive words from source and journalist word lists (#891, #901)

0.3

Web App

This is a high-level overview of some of the more significant changes between SecureDrop 0.2 and 0.3. For the complete set of changes, diff the tags.

  • Reduce JS dependencies to JQuery (stable) only
  • Add functional tests, increase unit test coverage
  • Rewrite database layer (db.py) using SQLAlchemy declarative ORM
  • Automate dev. setup with Vagrant and integrate with Travis CI
  • Store more info in db and less on filesystem
    • "flagged" sources
    • metadata for new UI features (starring, etc.)
    • metadata for simpler/more efficient views in journalist.py
  • Do not set headers in the web app (handle by production config.)
  • Add 2fac auth for journalist interface
  • Allow OSSEC emails to be encrypted with admin GPG key
  • Install app server, monitor server, Python dependencies, and custom configuration via deb packages
  • UI refresh on source and journalist interfaces
  • New UX for journalists:
    • "quick filter" box for codenames
    • "download unread" link
    • star sources
    • multi-select actions for sources (delete, star, unstar) and submissions (download, delete)
    • more detailed source listings
  • Normalize submission timestamps to that of the most recent submission to minimize metadata that could be used for correlation
  • Handle journalist authentication in the Document Interface instead of relying entirely on Authenticated Tor Hidden Services.
  • Document Interface supports two-factor authentication via Google Authenticator or Yubikey
    • These logins are hardened in a manner similar to that of the google-authenticator PAM module: tokens may only be used once, logins are rate limited, etc.
    • If you are using TOTP, the window is expanded from 1 period to 3 in order to help the situation where the server and client's clocks are skewed
  • Add Admin Interface so privileged "admin" users may add, edit, or delete other users on the Document Interface
  • Requests are automatically encrypted with an ephemeral key as they are buffered onto disk to mitigate forensic attacks
  • The haveged "high water" mark has been raised to maintain a higher average level of entropy on the system and minimize the appearance of the "flag for reply" flow
  • Secure removal (via srm) of data has been moved to an async worker to prevent hanging the interface when deleting large files or collections
  • New dedicated section of Source Interface for replies, instead of using flashed messages
  • Change default codename length from 8 words to 7 words, maintains a sufficient security level while hopefully improving usability for sources
  • Add recommendations for storing and memorizing the codename to the codename generation page
  • Improve the quality of journalist designations generated by reducing the adjectives and nouns lists to a smaller subset of common words
  • Use ntpd to continuously update the server time (especially important when using TOTP for two-factor authentication)
  • Move Document Interface to port 80 so we don't have to keep remembering to type ":8080"
  • We no longer ASCII-armor submissions when they are encrypted. This was unnecessary and bloated the size of the submissions, which is important to avoid because downloading large submissions over Tor is very slow.
  • Flask now uses X-Send-File for downloads, which fixed some reported issues are large downloads not finishing or being corrupted.

Environment

  • Add egress host firewall rules
  • Add google-authenticator apache module and basic auth for access to document interface
  • Encrypt bodies of OSSEC email alerts (add postfix+procmail to monitor server)
  • Create apparmor profiles for chrooted interface Tor process
  • Update interface apparmor profiles for changes to application code
  • Change installation method to use Ansible playbook and deb packages
  • Split securedrop repo into 3 separate repos for securedrop-specific code (the application, Python dependencies, and custom configuration) and the upstream packages that we maintain (OSSEC and the hardened grsecurity kernel for Ubuntu)
  • Add variety of development and testing environments for developers and researchers to use with Vagrant
  • Reduce OSSEC email alert noise through whitelisting errors that are reported by the default configuration but that we have investigated and determined to be safe to ignore
  • Document a thoroughly tested network firewall configuration with pfSense
  • Reboot the machine automatically every 24 hours to reduce the potential for plaintext to remain in memory
  • Add KeePassX password database template and document its use for journalists and admins
  • Add secure backup and recovery scripts
  • Add migration scripts
  • Major improvements to the installation and user documentation, including lots of detail, testing, and the addition of TOC

0.2.1

Web App

  • Fix for flagging errors
  • Validate journalist messages
  • Add logging using standard Python library.
  • Add delete collection
  • Replace bcrypt with scrypt
  • Clear referer on external links

Environment

  • Set maximum request body size in CONFIG_OPTIONS
  • Add security-related HTTP headers to Apache config
  • Remove mysql database, replace w/ sqlite. Update sqlite apparmor profile.
  • Add outbound iptables rule for source/document groups

0.2

  • Various documentation improvements

Web App

  • Remove javascript dependency in source interface
  • Add warning to source interface about using javascript (with Gritter)
  • Update to pycrypto 2.6.1
  • Validate filenames and codenames
  • Remove unsafe characters from codenames, remove diceware words that are not real words
  • Rewrite source.py and journalist.py with Flask
  • Add tests
  • Flag sources for journalist reply to avoid DOS attack by generating many GPG keys
  • Allow journalists to delete documents with SRM
  • Add bulk download to journalist interface
  • Add MySQL-python and SQLAlchemy dependency, db.py to perform database functions (ex: storing codenames)
  • Remove option to have codenames with <7 words
  • Use sqlite as default database
  • Add support for theming
  • bcrypt hash GPG passphrase for key stretching

Environment

  • Merge source and journalist servers into a single app server
  • Add apparmor profiles
  • Remove puppet, add base_install.sh script
  • Create interface-install.sh script to set up chroot jails
  • Add Ubuntu dev-setup script
  • Backup Tor private keys
  • Move config files into install scripts directory
  • Change SOURCE_IP to APP_IP
  • Set ownership and permissions for application code

0.1

  • Renamed DeadDrop to SecureDrop
  • Redesigned source and document web interface
  • Wrote detailed documentation
  • Improved installation process
  • Wrote unit & integration tests
  • Improved codename wordlist, based on Diceware
  • Use bcrypt instead of SHA
  • Removed VPN, replaced with authenticated Tor hidden service
  • Freedom of the Press Foundation taking over project

DeadDrop was originally written by Aaron Swartz.