We’re happy to announce that sources can now access our SecureDrop document-submission website using HTTPS. Although SecureDrop connections were already encrypted previously, our new setup provides leakers with additional assurance that they are connecting with the authentic Intercept SecureDrop and not an impostor.
You can visit our SecureDrop server by pointing the Tor Browser here: https://y6xjgkgwj47us5ca.onion/
SecureDrop runs as a “hidden service” within the anonymous web network Tor. A hidden service is a special kind of server that is only accessible through Tor and has a domain name ending in .onion (Tor was originally called The Onion Router because it works by creating layers upon layers of encryption to hide users’ IP addresses).
The Intercept’s SecureDrop installation is only the third Tor hidden service to receive a browser-trusted HTTPS certificate, following Facebook and the Bitcoin website Blockchain.info. HTTPS provides two things: Confidentiality — data shared between web browsers and HTTPS websites is encrypted — and authentication — web browsers can verify that they’re visiting the website the user thinks they’re visiting. Authentication helps prevent man-in-the-middle attacks, which occur when an attacker entices someone to open an encrypted connection to the attacker’s server by impersonating the real server.
Even without HTTPS, the connection between Tor Browser and our SecureDrop hidden service was already encrypted. Adding HTTPS provides a second redundant layer of encryption, and it also adds authentication. So if a source finds herself visiting a SecureDrop website that looks like it belongs to The Intercept, she can inspect our SSL certificate to confirm that it actually belongs to us and isn’t a honeypot posing as our SecureDrop website — or at least confirm that this is the case according to DigiCert, the certificate authority that issued our SSL certificate.
The future of combining HTTPS and the .onion top-level domain is uncertain because .onion is not an officially recognized top-level domain. But the gears are in motion to get .onion recognized as a “Special-Use Domain Name.” We won’t know for sure if we get to keep our SSL certificate until the Internet Engineering Steering Group agrees on whether or not to make .onion a standard, a decision slated to be made in October.
Until then, our sources can enjoy this extra layer of protection when they communicate with us through SecureDrop.