The Way That Some News Organisations Explain How to Use SecureDrop is Putting Their Sources at Risk

To be clear:

I am definitely not saying there is a problem with SecureDrop itself.

TL;DR

Some news organisations host their SecureDrop advice on subdomains such as https://securedrop.example.com which will show up in logs even when using HTTPS. They should be hosted at https://example.com/securedrop so that they don’t show up in logs.

An HTTPS Primer

When you request a site over HTTPS, the entire URL is not sent in the clear. The hostname (the part before the first slash) is sent in the clear, but the rest of the URL is not. So if I visit https://www.example.com/man-bites-dog, all my boss can see in the logs is that I visited example.com, but they cannot see which page I accessed. Visits to https://www.example.com/virtue-and-kindness and https://www.example.com/hardcore-pornography will look exactly the same in logs.

The Problem

SecureDrop is a system that allows whistleblowers to submit information to news organisations anonymously. In order to explain to whistleblowers how to use SecureDrop, news organisations have pages on the “normal” internet that give an explanation and list the appropriate TOR addresses to use. For example, this is The Guardian’s page on how to use SecureDrop.

The problem is where these pages are hosted. If I access the Associated Press’s advice on using SecureDrop, I have to point my browser at https://securedrop.ap.org/. If I want to find out how to submit information to ProPublica via SecureDrop, I have to visit https://securedrop.propublica.org/.

Even if I access those URLs via HTTPS, the hostname is sent in the clear (so that my packets can find their way to the right server). So if my boss, the government, or another attacker, has access to company logs (if I’m accessing from work) or my ISP or mobile/cell phone providers logs (if I access from home or my phone) they will be able to see that I have accessed a page that tells me how to leak information using SecureDrop.

If an organisation discovers some of its material has been leaked to The Guardian, it would be very easy for them to search through their logs to see who accessed https://securedrop.theguardian.com and it could be very difficult for me, as the whistleblower, to explain why I was accessing that page. If I do it from home, or from my mobile/cell phone, then maybe they can subpoena the ISP’s/provider’s records if they have enough reason to suspect me.

What Should NewsOrgs Be Doing?

Newsorgs’ SecureDrop advice page URLs should look as close to every other URL on that site as possible. If I visit a news story page on The Washington Post and then their SecureDrop site at https://www.washingtonpost.com/wp-stat/securedrop/securedrop.html both requests will show in my boss’s logs as being for https://www.washingtonpost.com and nothing more. They cannot tell whether I accessed a news story, or the SecureDrop site, which gives me plausible deniability.

Advice hosted at https://securedrop.theguardian.com/securedrop.html
Logs show: https://securedrop.theguardian.com

Advice hosted at https://www.theguardian.com/securedrop.html
Logs show: https://www.theguardian.com

One of these is clearly better than the other for me, the whistleblower.

Right and Wrong

These are just the first ones I found with a quick search.

Sites with their SecureDrop advice in a sensible place:
https://www.apache.be/securedrop/
https://cpj.org/emergency-response/how-to-get-help.php
https://theintercept.com/securedrop/
https://digital.newint.com.au/securedrop
https://www.washingtonpost.com/securedrop/

Looks good but isn’t:
https://gawkermediagroup.com/securedrop/
(This seems to be the only page hosted on that particular domain.)

Sites with SecureDrop in a location that will show up in logs:
https://securedrop.ap.org/
https://securedrop.cbc.ca/
https://securedrop.theguardian.com/
https://securedrop.propublica.org/

Disclaimer

I’m a physicist and a teacher, not a computer security expert. It’s possible that I have totally misunderstood some aspect of how HTTPS or logging works. If that’s the case, please let me know.