HTTPS on the Source Interface¶
The Source Interface for SecureDrop is automatically served over
as a Tor Hidden Service, requiring a
*.onion URL to access it.
While Tor Hidden Services provide end-to-end encryption by default, as well
as strong anonymity, high-profile organizations may wish to provide
further verification to Sources that the SecureDrop instance belongs
to the organization listed on the Landing Page.
Obtaining an HTTPS certificate for Onion URLs¶
DigiCert is currently the only registrar that issues Onion-compatible HTTPS certificates, and requires organizations to follow the Extended Validation (EV) process in order to obtain a certificate for an Onion URL. The EV certificates display in browsers with a green trust bar, including information about the organization:
The additional information about the organization, such as name and geographic location, are checked by the registrar during the EV process. A Source can use this information to confirm the authenticity of a SecureDrop instance, beyond the verification already available in the SecureDrop Directory.
In order to obtain an HTTPS certificate for your SecureDrop instance, contact DigiCert directly. As part of the Extended Validation, you will be required both to confirm your affiliation with the organization, and to demonstrate control over the Onion URL for your Source Interface.
Activating HTTPS in SecureDrop¶
Make sure you have installed SecureDrop already, and made
note of the Source Interface Onion URL. Edit the site-specific variables
for your organization in
to include the following:
securedrop_app_https_on_source_interface: yes securedrop_app_https_certificate_cert_src: sd.crt securedrop_app_https_certificate_key_src: sd.key securedrop_app_https_certificate_chain_src: ca.crt
The filenames should match the names of the files provided to you by DigiCert,
and should be saved inside the
install_files/ansible-base/ directory. Then rerun
The webserver configuration will be updated to apply the HTTPS settings.
Confirm that you can access the Source Interface at
https://<your_domain>.onion, and also that the HTTP URL
http://<your_domain.onion redirects automatically to HTTPS.