Implement 2FA


#1

Hello,

Is there a way to implement 2FA with Globaleaks login for the portal?

Regards,
Raf


#2

Hello @Raf_Rasenberg,

not right now.

Few are the possibilities we are evaluating:

  • implementation of a simple 2FA with a random secret delevered via email (that is not a perfect 2FA method but would practically work reducing the type of adversaries)
  • integration of the FIDO protocol with security tokens like the yubi key.

What is your feedback on these possibilities?
Are you evaluating to implement other solutions?

Best,

Giovanni Pellerano


#3

Hi @evilaliv3

Yubi key would be very good i.m.o.
What about authenticators like Google Auth and Authy?

A client I am working for wants a 2FA implemented so I am considering just implementing a simple 2FA for the login page on my current Globaleaks installation. Where can I find the directory of Globaleaks with the login scripts? I will track progress, experiences and share everything here or on Github.

Regards,

Raf


#4

@Raf_Rasenberg: in the context of globaleaks external services are generally not considered as safe for integration, this is why we are currently evaluating FIDO or a custom implementation of a random token sent via email (that would not be a perfect 2FA but would work in practice).

Here you find the backend authentication handler: https://github.com/globaleaks/GlobaLeaks/blob/master/backend/globaleaks/handlers/authentication.py

Here you find the clientside authentication service: https://github.com/globaleaks/GlobaLeaks/blob/master/client/app/js/services.js


#5

Thankyou @evilaliv3
Is there any timeframe in which 2FA will be implemented and tested?


#6

Actually not @Raf_Rasenberg as this activity is currently not part of any our funded projects so that we are moving it forward best effort :confused:

If you are planning to develop it by yourself i may try to support you with suggestions and review to get it fast integrated.


#7

Ah okay that’s a pity…

“If you are planning to develop it by yourself i may try to support you with suggestions and review to get it fast integrated.”

That would be great if you could do that, thanks Giovanni!

Because how can I assure clients now that it is safe? Because anyone who could get the hands on the login details can read the conversation now on the platform because it is there in plain text. Is there no way to encrypt the messages on the platform with PGP instead of only the e-mails? Then a 2FA wouldn’t even be needed because an intruder can’t read the message.

Regards,

Raf


#8

We may postpone FIDO for a later stage on the short term implement a random token sent via email as practical 2FA.
That would live out all the enemies except the sysadmin that will have to have access to both the email system and the password detail.

As for the encryption, currentl PGP protects both the email and files.
It is already implemented, tested and fully functional a different encryption method that will encrypt everithing without the need for even configuring PGP but to make it available we are waiting to implement the possibility to store the password key as a backup copy. This feature is practically needed because with an automatic encryption based on the user password if the user will loose its own password, will loose access to every tip received.

Here the details: https://docs.google.com/document/d/1Yn4OM5XO5G0PXDSlHYaEa5BsAucBmxhmBfRqhrAg_Jc/edit?usp=sharing


#9

Yes I understand that. But what if for example, someone gets the hands on the login details of the portal from a recipient. He can login and read the filled in form without any trouble. Ofcourse it doesn’t contain any personal information of the whistle blower but based on the answers of the filled in form someone within the organisation might know exactly who blew the whistle.

For example on darkweb markets, messages are not readable when logged in to the account. You will only see an encrypted PGP message. Is there a possibility to also set this for Globaleaks so someone has to decrypt the message first with his own private key after logging in to the portal of Globaleaks?


#10

No this is not possible and would make it not possible for the platform to practically work.
Users work well on it cause they are able to read / interact.

By the way i think we can agree that the second token sent via email would practically protect from what you are saying. Will try to push this on the roadmap.

Do you have by any chance possibility to sponsor this implementation?


#11

Yes you are correct with that. Token via e-mail would be good.

How much sponsoring would you need to push this implementation?


#12

Hi Raf,

for 2FA email authentication, it would take ~3 days of development, in order to implement it within a modular one-time-token authentication system that we could be able to extend in future with other 2FA authenticators.

This feature would Increase security to GlobaLeaks, we could co-contribute to the R&D, leading a total costs of eur 700 fixed price including bugfixing and localization support for those 3 days, including release and support.

Btw consider that we are a non-profit entity running the GlobaLeaks project made up of:

While we made GlobaLeaks thanks to the funding since 2012 from the US Open Technology Fund https://www.opentech.fund and the Dutch Hivos Foundation https://www.hivos.org for project in Global South, since 2016 we’ve started implementing an “economic sustainability model” to provide “services” aside from the grant making activity (we’ve just been awarded a small EU funding, hurray!).

That model is based on supporting Whistleblowing Project development and deployment trough Maintenance Contracts (having priority bug fixing) and Development Contracts (where we co-invest and share the costs trough discounts where those are really good fit for the roadmap) and SAAS Managed Contracts (where we run GlobaLeaks in the cloud as a fully managed solution).

We do that supporting Whistleblowing Service Providers (being those more IT-oriented or Legal/Compliance-oriented), or directly large companies (es. Dr Oetker, Sole24ore, Edison, etc) and public agencies (Barcelona Municipality, Valencia anticorruption agency, etc).

We will never advertise any “commercial service” on the GlobaLeaks.org website, as we want the project to be neutral and see a growing ecosystem of partners using it for various profit and no-profit business.

GlobaLeaks now support also Multi-Tenant support (you can create virtual globaleaks instances on GlobaLeaks), online Signup (like you can test on try.globaleaks.org) to foster the startup of various SAAS no-profit (but also commercial) business model that provide greater protection to Whistleblowers (have a look at the project we released in October with Transparency International Italy on https://www.whistleblowing.it with a Freemium Activistic Business Model).

If your company is starting up a kind of Whistleblowing Business Service we’d be happy to advise you with some knowledge transfer on how to be successful in your area (Netherland, as far as I understand), also establishing some kind of mutual cooperation opportunities to sustain the long term sustainability of GlobaLeaks Free Software Project!

It’s very good to keep using the forum to keep publicly sharing knowledge, then if you wish you can join our slack to further conversations https://slack.hermescenter.org.

Cheers

Fabio