Well earlier today, security researchers disclosed vulnerabilities, collectively called EFAIL, in how the decryption and display of PGP-encrypted emails are handled in multiple email clients. SecureDrop submissions are not sent via email, and can only be decrypted on the air-gapped Secure Viewing Station, so the content of submissions is not impacted by this vulnerability. This includes the content of messages from and to sources sent via the SecureDrop user interface.
However, SecureDrop does use GPG-encrypted emails for OSSEC security alerts to administrators, and some SecureDrop users receive messages from our support portal that are GPG-encrypted. Beginning in SecureDrop 0.7.0, to be released tomorrow, Tuesday May 15, 2018, journalists can also optionally receive GPG-encrypted alerts about new submissions (these do not contain any submission content or metadata). Continue reading “People are Freaking Out about PGP, You Shouldn’t Be Using it Anyway”