HTTPS on the Source Interface¶

The SecureDrop Source Interface is served as an onion service with an .onion URL, requiring Tor Browser to access it. While onion services provide end-to-end encryption by default, as well as strong anonymity, there are several reasons why you might want to consider deploying an additional layer of encryption and authentication via HTTPS:

Extended Validation (EV) certificates, which are currently the only type of certificates that may be issued for *.onion addresses, are intended to attest to the identity of the organization running a service. This provides an additional measure of authenticity (in addition to the organization’s Landing Page and the SecureDrop Directory) to help assure sources that they are communicating with the intended organization when they access a given Source Interface.
SecureDrop supports v3 onion services, which use updated cryptographic primitives that provide better transport-layer encryption than those used by v2 onion services. Using HTTPS on the source interface will provide an extra layer of encryption for data in transit.

Obtaining an HTTPS certificate for Onion URLs¶

Digicert¶

DigiCert is one of only two Certificate Authorities (CA) that issue HTTPS certificates for .onion sites. DigiCert requires organizations to follow the Extended Validation (EV) process in order to obtain a certificate for an Onion URL, so you should start by reviewing DigiCert’s documentation for obtaining a .onion certificate.

The EV certificates display in browsers with a green trust bar, including information about the organization:

HTTPS Onion cert

The additional information about the organization, such as name and geographic location, are checked by the CA during the EV process. A Source can use this information to confirm the authenticity of a SecureDrop instance, beyond the verification already available in the SecureDrop Directory.

In order to obtain an HTTPS certificate for your SecureDrop instance, contact DigiCert directly. As part of the Extended Validation, you will be required both to confirm your affiliation with the organization, and to demonstrate control over the Onion URL for your Source Interface.

In order for you to demonstrate control over the Onion URL for your Source Interface, DigiCert will provide you with some text and ask you to make it available at a specific URL: <onion_url>/.well-known/pki-validation/<unique_hash>.txt. We have support for this workflow:

# From the Admin Workstation, SSH to the Application Server
$ ssh app

# Edit the validation file with content the CA provides
# Replace <unique_hash> with the token provided by Digicert
$ sudo vi /var/www/securedrop/.well-known/pki-validation/<unique_hash>.txt

Note

If you see “File Not Found” when navigating to this file in Tor Browser, check out the latest release in your Admin Workstation and re-run ./securedrop-admin install.

While the CAB forum has specified that .onion certificates may have a maximum lifetime of 15 months, we have heard that some folks have run into issues with such certificates, and currently it seems safest to give the certificate a validity period of 12 months.

Tip

Be patient! HTTPS certificates for .onions are a recent and fairly niche development, so you may run into various issues while trying to obtain the certificate.

Warning

As part of the process for obtaining an HTTPS certificate, you will need to generate a private key. This is usually stored in a file with a .key extension. It is critical that you protect this key from unauthorized access. We recommend doing this entire process on the Admin Workstation, and avoiding copying the .key to any insecure removable media or other computers.

Harica¶

The Greek CA Harica is now providing Domain Validation (DV) certificates for .onion addresses. DV certificates are less useful for authentication purposes, but may still be used to provide another layer of encryption for source traffic.

Activating HTTPS in SecureDrop¶

Make sure you have installed SecureDrop already.

First, on the Admin Workstation:

cd ~/Persistent/securedrop

Make note of the Source Interface Onion URL. Now from ~/Persistent/securedrop on your admin workstation:

./securedrop-admin sdconfig

This command will prompt you for the following information:

Whether HTTPS should be enabled on Source Interface (requires EV cert): yes
Local filepath to HTTPS certificate (optional, only if using HTTPS on source interface): sd.crt
Local filepath to HTTPS certificate key (optional, only if using HTTPS on source interface): sd.key
Local filepath to HTTPS certificate chain file (optional, only if using HTTPS on source interface): ca.crt

The filenames should match the names of the files provided to you by DigiCert, and should be saved inside the install_files/ansible-base/ directory. You’ll rerun the configuration scripts:

./securedrop-admin install

The webserver configuration will be updated to apply the HTTPS settings. Confirm that you can access the Source Interface at https://<onion_url>, and also that the HTTP URL http://<onion_url> redirects automatically to HTTPS.

Note

By default, Tor Browser will send an OCSP request to a Certificate Authority (CA) to check if the Source Interface certificate has been revoked. Fortunately, this occurs through Tor. However, this means that a CA or anyone along the path can learn the time that a Tor user visited the SecureDrop Source Interface. Future versions of SecureDrop will add OCSP stapling support to remove this request. See OCSP discussion for the full discussion.