April 8: The "hidden service" address of the ProPublica SecureDrop server changed as a security precaution due to the "Heartbleed" bug. This post has been updated.
Today we’re launching a new system to help sources send us messages and files more securely than they can via things like email and FTP. You can read more about the system at our secure information page at securedrop.propublica.org.
The system uses SecureDrop, an open-source tool developed for The New Yorker by Kevin Poulsen and the late Aaron Swartz. The software is now maintained by the Freedom of the Press Foundation, who worked with us to set it up at ProPublica. To help protect our sources identities, it is only accessible using the Tor system. We do not record your IP address or information about your browser, computer or operating system.
The design of the SecureDrop system builds upon well-tested security technologies like PGP encryption and Tor routing and techniques such as using air gapping. It represents the best we know of to share information electronically. However, no system is perfectly secure and sources wishing to send us material using the system should be aware of the specific risks they face, including the security of their own equipment and networks.
The information page at securedrop.propublica.org contains instructions on how to send us material through the system. The information page itself is on a server that is not connected to the SecureDrop server. But as an important part of the system, it needs to follow good security practices, so we’ve configured it according to security recommendations by the Freedom of the Press Foundation. We enforce HTTPS connections to that domain by using the “Strict-Transport-Security” HTTP header. We prevent external content and browser frames from accessing that page, to ensure that the information you see there isn’t tampered with. It does not store any access logs or create any persistent cookies. You can verify that server’s settings yourself by visiting SecurityHeaders.com and the Qualys SSL Labs tester.
We’ve documented the nginx configuration file we use on our information page and are publishing it today. Other sites may use our example config for similar small websites requiring HTTPS and high browser security.
For verification, the SHA1 fingerprint of the "securedrop.propublica.org" server SSL certificate is
33:03:99:09:7E:D3:83:E4:AC:48:54:E4:89:19:2D:47:68:61:7A:B5 and the Tor "hidden service" address of the ProPublica SecureDrop server is http://pubdrop4dw6rk3aq.onion/ . Publishing this address in several places makes it more difficult for an attacker to secretly change the link to their own "hidden service" address without someone noticing the change.