The Way That Some News Organisations Explain How to Use SecureDrop is Putting Their Sources at Risk

To be clear:

I am definitely not saying there is a problem with SecureDrop itself.


Some news organisations host their SecureDrop advice on subdomains such as which will show up in logs even when using HTTPS. They should be hosted at so that they don’t show up in logs.

An HTTPS Primer

When you request a site over HTTPS, the entire URL is not sent in the clear. The hostname (the part before the first slash) is sent in the clear, but the rest of the URL is not. So if I visit, all my boss can see in the logs is that I visited, but they cannot see which page I accessed. Visits to and will look exactly the same in logs.

The Problem

SecureDrop is a system that allows whistleblowers to submit information to news organisations anonymously. In order to explain to whistleblowers how to use SecureDrop, news organisations have pages on the “normal” internet that give an explanation and list the appropriate TOR addresses to use. For example, this is The Guardian’s page on how to use SecureDrop.

The problem is where these pages are hosted. If I access the Associated Press’s advice on using SecureDrop, I have to point my browser at If I want to find out how to submit information to ProPublica via SecureDrop, I have to visit

Even if I access those URLs via HTTPS, the hostname is sent in the clear (so that my packets can find their way to the right server). So if my boss, the government, or another attacker, has access to company logs (if I’m accessing from work) or my ISP or mobile/cell phone providers logs (if I access from home or my phone) they will be able to see that I have accessed a page that tells me how to leak information using SecureDrop.

If an organisation discovers some of its material has been leaked to The Guardian, it would be very easy for them to search through their logs to see who accessed and it could be very difficult for me, as the whistleblower, to explain why I was accessing that page. If I do it from home, or from my mobile/cell phone, then maybe they can subpoena the ISP’s/provider’s records if they have enough reason to suspect me.

What Should NewsOrgs Be Doing?

Newsorgs’ SecureDrop advice page URLs should look as close to every other URL on that site as possible. If I visit a news story page on The Washington Post and then their SecureDrop site at both requests will show in my boss’s logs as being for and nothing more. They cannot tell whether I accessed a news story, or the SecureDrop site, which gives me plausible deniability.

Advice hosted at
Logs show:

Advice hosted at
Logs show:

One of these is clearly better than the other for me, the whistleblower.

Right and Wrong

These are just the first ones I found with a quick search.

Sites with their SecureDrop advice in a sensible place:

Looks good but isn’t:
(This seems to be the only page hosted on that particular domain.)

Sites with SecureDrop in a location that will show up in logs:


I’m a physicist and a teacher, not a computer security expert. It’s possible that I have totally misunderstood some aspect of how HTTPS or logging works. If that’s the case, please let me know.