GlobaLeaks Threat Model and Security Design

Release 2.0 of June 2013 (updated Apr 2014)

Goal

This document describes the threat model and security properties of GlobaLeaks 2.x

Introduction

GlobaLeaks is an Open Whistleblowing Framework that can be used in many different usage scenarios that may require very different approaches to obtain both security and flexibility.

Whistleblowing policies and procedures within a corporation for compliance purposes are reasonably different from the ones of a Media Agency or the ones for Hacktivism initiatives.

Given the flexibility of uses of GlobaLeaks, the threat model considers different usage scenarios as threats can vary.

Goal

Introduction

Actors Matrix

Anonymity Matrix

Communication Security Matrix

Identity Disclosure Matrix

Usage Scenarios Matrix

GlobaLeaks Security Matrix

Data Security Matrix

Data Retention Policy

Application Security

Web Application Security

Server Resiliency

Client Application Security

Other threats to privacy and anonymity

Proxy Detection

Time Correlation

Browser History and Cache

Metadata Cleanup

Security Awareness

Privacy Badge

Comfort Loader

Application’s interfaces tips

What GlobaLeaks does not protect from

Actors Matrix

As a first step we define the Actors, that are the users that interact with GlobaLeaks Node.

Actor

Definition

Whistleblower

The user that submit an anonymous Tip through the GlobaLeaks Node.

He may be a person in a very low up to very high risk context, depending on the usage scenario and the sensibility of information being submitted.

Receiver

The user (person or organization) receiving the anonymous Tip submitted by the Whistleblower.

Receiver may receive the data by a Whistleblower through an embedded GlobaLeaks interface called Tip or may be on a third party system used for fact-checking (DocumentCloud, FactChecking) or workflow management (OTRS, Ticketing systems, etc).

Node Administrator

The user (person or organization) that is running the GlobaLeaks Node.

Node Administrator may not represent the same entity running, promoting and managing the whistleblowing initiatives (e.g., hosted solutions, multiple stakeholders projects, etc).

The Node Administrator has to be considered in all scenarios described as a trusted entity with reference to the data exchanged by actors.

The Node Administrator in most scenario won’t be a trusted entity respect to the identity of of actors.

It’s highly relevant to apply each of the security measures always in relationship to the actors using GlobaLeaks, while always considering the security and usability tradeoff.


Anonymity Matrix

The anonymity of different actors must be differentiated and requires to be classified depending on the context of use represented by the following definitions:

Anonymous

The actor identity and his location cannot be disclosed.

Confidential

The other actors of interaction (e.g., Node Administrator, Receiver) can’t identify the actor taking the action considered (e.g., Whistleblower), but a third party (Tor2web) may identify the actor.

No Anonymity

The other actors of interaction (e.g., Node Administrator) can directly identify the actor taking the action considered (e.g., Whistleblower) if he did not take protection measures to guarantee its own anonymity.

The following matrix relates the previous definition to different architectural use and implementation of GlobaLeaks Software:

Anonymity Matrix

on Tor

on Tor2web

on Public Internet

Receiver

Anonymous

Confidential

No Anonymity [1]

Whistleblower

Anonymous

Confidential

No Anonymity ¹

Node Administrator

Anonymous

Anonymous

No Anonymity ¹

Different use of GlobaLeaks require to consider the requirements for different actors in the anonymity matrix.

The Anonymity level is reported to the Actor’s user interface with the aim to make the user aware of it.

The Node Administrator can configure the Anonymity level required for each Actor.

Communication Security Matrix

The security of communication in respect to third parties transmission's monitoring may have different requirements depending on its context of use.

High Security

The communication is encrypted end-to-end with GlobaLeaks Node and no third party is in a condition to eavesdrop the communication

Medium Security

The communication is encrypted end-to-end with GlobaLeaks Node.

A third party able to manipulate SSL security (e.g., Govt re-issuing SSL cert) is in a condition to eavesdrop the communication.

If SSL security is guaranteed, Monitoring  Actor’s communication’s line or GlobaLeaks node communication’s line is not possible.

Low Security

The communication is not encrypted end-to-end with GlobaLeaks Node but secured up to a proxy. The proxy (e.g., Tor2web) will then relay another end-to-end connection to the GlobaLeaks node.

The proxy is a trusted component but maybe compromised or controlled and eavesdrop the communication.

Monitoring Actor’s communication’s line is not possible.

Monitoring GlobaLeaks node communication’s line is not possible.

Monitoring requires hacking or owning the proxy.

No Security

The communication is not encrypted at all.

Monitoring the communication’s line of the Actor or of the GlobaLeaks node is possible.

The following matrix applies the previous definition related to different architectural uses/implementations of GlobaLeaks Software:

Communication Security Matrix

Tor

Internet-SSL

Tor2web

Internet-Clear

Security Level

High Security

Medium Security

Low Security

No Security

Identity Disclosure Matrix

Regardless from the anonymity matrix, various Actors may be in a condition to decide to, or get mandated to, disclose or not disclose their identity.

Disclosed

The actor who decided to, or get mandated to, disclose its identity to other actors.

Partially Disclosed (pseudonym)

The Actor who decided to, or get mandated to, operate under a pseudonym (decided by himself) while interacting and operating with other Actors. The pseudonym may represent a “nickname” or an internal division of organization unit of an organization.

Undisclosed

The Actor identity is not disclosed and its disclosure is not likely.

Optionally Disclosed

The Actor’s identity is by default not disclosed, but he is given the chance to disclose it on a voluntary basis (e.g., in some workflow an anonymous tip-off may receive a follow-up, while a formal report with identity disclosed must receive a follow-up)

Identity Disclosure is a highly relevant topic, because even in an Anonymous High Security environment the Identity Disclosure may be an Option for specific whistleblowing initiatives workflows.

 If an Actor starts dealing with an Anonymity set “Anonymous” and with an “Undisclosed Identity” he can always decide, at a later stage, to disclose his identity. The opposite is not possible.

This is one of the key elements to provide Actors’ protection around GlobaLeaks.

The voluntary identity disclosure may be required in certain whisteblowing procedures because, generally:

The “MAY” vs. “MUST” respect to the actions of receivers is a fundamental element of guarantee for many whistleblowing initiatives (e.g., a corporate or institutional whistleblowing node, should not follow a MUST approach for Anonymous submission, considering them just tip-off and not formal reports).

Usage Scenarios Matrix

In this section you will find a set of examples that show how different anonymity level of different actors can be mixed together depending on the context of use.

Media Outlet

A Media Outlet, whose identity is disclosed, decides starting a Whistleblowing initiative. The media’s receivers are disclosed to Whistleblowers, so that they can trust a specific journalist rather than the media itself. Full anonimity must be assured to whistleblowers and their identity cannot be disclosed in connection with anonymous submissions. The whistleblower MAY  choose to willingfully disclose identity (journalist had in their goals to protect source in some countries)

Corporate Compliance

A Corporation needs to implement transparency, or anti-bribery law compliance, by promoting its initiatives to employees, consultants and providers. The receivers are partially disclosed because they are represented by different divisions of the “Internal Audit” business unit of the company. The Whistleblower is guaranteed full anonymity, but he can optionally disclose his identity (tip off vs formal report).

Government Tax Whistleblowing

A Government Authority (central or local) with its own public identity wants to promote Tax Whistleblowing with Rewards procedures for Whistleblowers (e.g., IRS). The receivers are not known because they are an internal division not exposing their names to the Whistleblower in advance. The Whistleblower MUST disclose his identity in order to be eligible for rewards.

Human Rights Activism Initiative

A Human Rights Group start a Whistleblowing initiative to spot human rights violations in a dangerous place. The organization requires anonymity to avoid retaliations and takedowns, and operates under a Pseudonym. The Receivers MUST not be disclosed to the Whistleblowers, but a Partial Disclosure by pseudonym can be acceptable in order to give proper trust to “Who the whistleblower is submitting to” . The Whistleblower MUST be guaranteed anonymity and his identity cannot be disclosed.

Citizen Media Initiative

A Citizen media initiative with it’s own public identity wants to collect tips on a specific topic (political, environmental malpractice, corruption, etc) in a medium-low risk operational context. The receivers must be disclosed but using a Pseudonym in order to avoid giving them too much responsibility, while accepting a Confidential relationship with no anonymity (Tor2web). The Whistleblower, if the topic is not life-threatening, can be allowed to submit also in a Confidential way to lower the entrance barrier.

Local Municipality Street Hole Reporting Service

A Local municipality want to setup a Street Hole Reporting service with it’s own public identity. The receiver can be disclosed to facilitate the CRM (Citizen relationship management) and Whistleblower identity protection is not required.

GlobaLeaks Security Matrix

Below we show how different usage scenarios can require different set of anonymity level, communication security requirements and identity disclosures for different actors.

Globaleaks, through its user interface, will enable each actor with appropriate security awareness information, and will enforce specific requirements to specific actors by the application of clear configuration guidelines.

Scenario

Actor

Anonymity level

Identity Disclosure

Communication Security

Media Outlet

Receiver

No Anonymity

Disclosed

Medium Security

Whistleblower

Anonymous

Undisclosed

High Security

Node Admin

No Anonymity

Disclosed

Medium Security

Corporate Compliance

Receiver

No Anonymity

Partially Disclosed

Medium Security

Whistleblower

Anonymous

Optionally Disclosed

High Security

Node Admin

No Anonymity

Disclosed

Medium Security

Government Tax Whistleblowing

Receiver

No Anonymity

Undisclosed

Medium Security

Whistleblower

No Anonymity

Disclosed

Medium Security

Node Admin

No Anonymity

Disclosed

Medium Security

Human Rights

Activism initiative

Receiver

Anonymous

Partially Disclosed

High Security

Whistleblower

Anonymous

Undisclosed

High Security

Node Admin

Anonymous

Partially Disclosed

High Security

Citizen Media Initiative  

Receiver

Confidential

Confidential

Low Security

Whistleblower

Confidential

Optionally Disclosed

Low Security

Node Admin

No Anonymity

Disclosed

Medium Security

Municipality “Hole in the streets” Reporting

Receiver

No Anonymity

Undisclosed

Medium Security

Whistleblower

No Anonymity

Optionally Disclosed

No Security

Node Admin

No Anonymity

Disclosed

Medium Security

The previous schema gives only some examples of GlobaLeaks’s flexibility; but different anonymity, identity and security measures apply to other usage scenarios and actors.

Data Security Matrix

This section highlights the data that is handled by GlobaLeaks software and how different protection schemes are applied to GlobaLeaks handled data.

The following data are the one involved within GlobaLeaks:

Data

Description

Submission data

Those are the data associated with a submission such as the filled forms and selectors provided by the Whistleblower.

Submission Files

Those are the files associated with a submission that may require to be handled with special care due to per receiver’s encryption and optional metadata cleanup

Node Config Data

Those are all the data for the configuration and customization of the node

Software Files

Those are all the files of the software required to work

Notification Data

Data sent to notify receivers of a new tip/comment (email, jabber, etc)

Below a matrix showing different security measures applied on data

Encryption

Metadata Cleanup

Blacklisting

Sanitization

Submission Data

Encrypted database with admin password and/or file-system encryption

N/A

Keyword blacklisting, Antispam

Anti XSS

Submission Files

Encrypted with PGP Receiver’s Keys

(if available)

Optional

Extension blocking, Antivirus

N/A

Node Config Data

Encrypted database with admin password

N/A

N/A

N/A

Software Files

N/A

N/A

N/A

N/A

Notification Data

Encrypted with PGP Receiver’s Keys

(if available)*

N/A

Digest/Antispam to prevent flooding

N/A

* WARNING: Please note that Node Data Encryption is not complete due to a serious bug in Tor software that does not provide a way to protect and/or handle dynamically Tor Hidden Services keys. This will get fixed when the following Apaf, Tor and TxTorcon tickets will be resolved

Data Retention Policy

If a GlobaLeaks Node collects Tip for a long time, its potential value arises and this can attract attacker.

A Tip do not required a permanent preservation in the Node, therefore every Tip has an expiration date.

The time to live of a Tip is configurable (default: 15 days)

When the expiration date is reached, the Tip (Files, supplied descriptions, comments) are removed.

Exceptions in the Data Retention Policy

  1. If a Receiver has the right privilege (assigned by the Admin), he can extend the expiration date when needed.
    (E.G: The Tip with 15 day of live, extended on the day 5th, would expire on the 20th)
  2. When all the following conditions exist:

- the Receiver has a PGP Key configured

- the Receiver has enabled Encrypted Notification

- the Admin has enabled non default options to include Submission Fields in the encrypted notification emails,

in this situation sensitive information is going outside GlobaLeaks system and need to be managed by Receiver Operational Security.

Application Security

This section highlights most of the security measures against application related threats.

Web Application Security

The web application does follow all the OWASP REST Security Cheat Sheet related to:

Server Resiliency

The server may be subject to a Denial of Service attack (DOS) by flooding it with many requests against it’s REST APIs.

The server mitigate such threats with a design that clearly separate synchronous (Request to REST) operations from asynchronous operations (Handling of data, encryption of data, manipulation of data, sending notifications).

That way the server will never do I/O or CPU intensive operations as a direct actions coming from an HTTP request.

Client Application Security

The client application is a Javascript application that communicate with the server through a REST API.

The Client application only handles structured, sanitized data to avoid any kind of code injection from server.

The Client Application will be embedded as a in-browser plug-in to further guarantee the integrity of client application.


Other threats to privacy and anonymity

In this section are highlighted several threats and protections related to GlobaLeaks that require further explanation.

Proxy Detection

GlobaLeaks does provide a proxy detection feature to advise the Actors whenever they are behind a proxy and so are leaving traces of their browsing activity.

This is then reported as a security awareness measure in Privacy Badge.

Time Correlation

To prevent direct timing correlations attack between a Whistleblower submission and a Receiver notification, GlobaLeaks introduces a configurable variable time delay between those two events.

Browser History and Cache

GlobaLeaks tries to avoid, by using properly crafted HTTP headers, to leak information into Actor’s browser history and cache.

This privacy feature cannot guarantee the user to be safe against a forensics analysis of his browser cache and/or history but is provided as additional safety measure.

Metadata Cleanup

The cleanup of metadata of submitted files is a particular topic that attempts to protect an “unaware” whistleblower from leaking information in a document that may pose his anonymity at risk.

However our position has been defined here https://github.com/globaleaks/GlobaLeaks-0.1/issues/53 and we do not think that automatic metadata cleanup can be always useful nor that it provides 100% security to whistleblower.

For that reason metadata cleanup is an optional feature at choice of Whistleblower and/or Node Administrator.

Security Awareness

Security awareness is highly relevant for all the actors of GlobaLeaks because most of the security problems may arise from improper use of the software or improper actions.

GlobaLeaks at every stage and actions of Actors with the Node does provide security awareness tips and information to better understand the context of the Actor itself.

Privacy Badge

One major security awareness measure is given by the Privacy Badge that does inform the user with an always present badge at the top of the page, with coloured bullets (green, yellow, red) about the user status about:

That way the user will always know if he is in the best condition (3 green bullet) or if something is yellow or red.

The Actor, by clicking on the privacy badge, get detailed information on his status and how to improve it, contextualized for which Actor he is.

The Actor, when improves his privacy/security, graphically (switch to green) perceives the improvement having completed properly “Actions” suggested by the Privacy badge.

Comfort Loader

Due to Tor Hidden Services high latency, certain data of GlobaLeaks may take several seconds to load. To overcome this issue it has been added a Comfort Loader.

The Comfort loader, while waiting, does provide useful information for safe whistleblowing procedures.

Application’s interfaces tips

Every application field and action doable through the interface is provided with tips and informational hints that focus on user’s privacy.


What GlobaLeaks does not protect from

In this section we highlight what GlobaLeaks does not protect, regardless of the security features used, the anonymity level applied and the data security measures enforced trough encryption.

Environmental factors

GlobaLeaks does not protect against environmental factors related to one actors physical location and/or his social relationships.

For example if an Actor has a video bug installed in his house to monitor all his activity Globaleaks cannot protect him.

If an Actor, supposed to be anonymous, tells his friends about his activity, GlobaLeaks cannot protect him.

Human negligence

While we do provide the Node Administrator the ability to fine tune his security related configurations and continuously inform the actors about his security related context at every step of interactions, GlobaLeaks cannot protect against any major security threats coming from human negligence.

For example a Whistleblower submitting data for which is clear to third party (carrying on ex-post possible investigation to identify him) that he is the only and unique owner of that data, cannot be protected by GlobaLeaks.

Data stored outside globaleaks

GlobaLeaks does not provide any kind of security for data that are stored outside the GlobaLeaks system.

The duty of protection for such kind of data is exclusively of the actor.

Advanced Traffic Analysis

An attacker monitoring SSL-encrypted traffic with no ability to decrypt it, is able to identify the role of the intercepted users, because Whistleblower, Receivers and Node Administrator interfaces generate different network traffic patterns.

GlobaLeaks does not provide protection against this threat. It’s suggest to use Tor pluggable transports or other methods providing this kind of features.


[1] The Actor is not using any specific tool to protect its anonymity, independently from the GlobaLeaks Node installation (e.g., A Whistleblower use Tor Browser Bundle to make a submission in a GlobaLeaks node exposed in the Public Internet)