Brussels / 3 & 4 February 2018


Improving the SecureDrop system architecture

Good useability in a high security environment

SecureDrop is designed to address a threat model including nation state adversaries. Journalists and system administrators understand the tradeoff and are ready to make significant efforts because usability is difficult to improve without sacrificing security. We explore novel approaches to deploy the recommended hardware that significantly improves usability without compromising security.

When employees of an intelligence agency follows Snowden's footsteps, they boot tails in a coworking space and submit to the SecureDrop Tor Hidden Service. SecureDrop is the only whistleblower framework that addresses a threat model with a nation state adversary. The journalist then uses one machine to get the documents from the server. And moves them to an airgap machine to decrypt and read the documents. The server itself is made of two machines, one of them running the Tor Hidden Server and the other running OSSEC to monitor it. They sit behind a carefully configured firewall and are controlled from an admin workstation running Ansible.

The physical separation between machines is an essential part of the SecureDrop security. They are non trivial to setup and use for both the journalist and the system administrator of the news organization. We will present alternatives designed to improve the usability for both of them while preserving a reasonable level of security.


Photo of Eric Hartsuyker (heartsucker) Eric Hartsuyker (heartsucker)