Using Globaleaks To Protect Sources

Many times, Sources (whistleblowers) need to send information anonymously to reports or journalists. Using email or putting files on cloud storage is not safe or secure if you want a free, safe, secure, and anonymous way to allow sources to share information I suggest Globaleaks.

Globaleaks is a free open-source platform that allows sources to anonymously send information and data to reporters. Globaleaks is easy and simple to set up and anyone regardless of technical savvy can do it easily. Globaleaks has great instructions and a simple template that can be done with little or no effort on Docker.

After the installation, I examined the security of this system and was very impressed. To start with when the source or whistleblower submits an incident only the user with the recipient roll can read it. Globaleaks has three roles defined Whistleblower, Recipient, and Administrator.

From Globaleaks Documentation:
“Recipient – The user receiving anonymous reports submitted by Whistleblowers and responsible for their analysis. Recipients act reasonably in good faith and have to be considered in all scenarios described as trusted parties with reference to the protection of Whistleblowers’ and the confidentiality of the information by them communicated.”

I figured as Administrator of the system and the server I would have access but Globaleaks really thought this through. Not even the admin account has access to the encrypted data submitted by the source.

After going through Globaleak’s very well-done documentation I found this:

“Administrator – The users supporting the setup, management and monitoring the security of the platform. Administrator may not represent the same entity running, promoting and managing the whistleblowing initiatives (e.g., hosted solutions, multiple stakeholders projects, etc). The Administrator has to be considered in all scenarios described as a trusted entity. They do not have direct access to reports and they are responsible for advising Recipients on the best practices to be adopted in their work.”

Despite being the admin, you don’t have access to the data. I decided to check even deeper. I went on to the test server I made as admin and examined Globaleaks and all the documents submitted and the databases were encrypted. Even at the server level, the admin does not have access to the data.

The database stores users’ passwords hashed with a random 128-bit salt, unique for each user and hashed using Argon2. This key derivation function was selected as the winner of the Password Hashing Competition in July 2015. The hash involves a per-user salt for each user and a per-system salt for whistleblowers. The system forces users to change their password at their first login and pushes to use 2FA for recipients and admin users.

I then started wondering about the logs I should be able to see what IP address the source used to connect to the server. When I checked the logs, I found something interesting. While the logs are on the server for diagnostics all IP addresses and login information times were all nulled out for additional security of the source. Even metadata is nulled for additional protection.

One thing I did notice during the setup of Globaleaks you can set up the system to work on the regular web which Globaleaks does not recommend even using a VPN. They recommend making the server a .onion domain. A .onion domain is the address of a website that can only be accessed through the Tor anonymity browser. Regular browsers won’t be able to navigate the relay of proxy servers that will take users to this type of website.

Globaleaks recommends accessing the platform via the Tor Browser to allow the best practices for protecting source identity and reducing the possibility that a system involved in the operation has tracked their activities and their IP address.

Reading through documentation Globaleaks software is in adherence with the OWASP Security Guidelines. GlobaLeaks tries to get a security audit done every 2 years and does participate in HackerOne bug bounty.

I found this platform to be very secure and well done through my research and I would recommend it to any company that needs a platform for sources or whistleblowers.