diff --git a/docs/images/manual/security-slider-high.png b/docs/images/manual/security-slider-high.png new file mode 100644 index 0000000000..9056447016 Binary files /dev/null and b/docs/images/manual/security-slider-high.png differ diff --git a/docs/source.rst b/docs/source.rst index 453d7b9d08..90a4a379b7 100644 --- a/docs/source.rst +++ b/docs/source.rst @@ -49,25 +49,49 @@ While using the Tor Browser on your personal computer helps hide your activity o Making your First Submission ---------------------------- -Open the Tor Browser and navigate to the .onion address for the SecureDrop Source Interface you wish to make a submission to. The page should look similar to the screenshot below, although it will probably have a logo specific to the organization you are submitting to. +Open the Tor Browser and navigate to the .onion address for the SecureDrop +Source Interface you wish to make a submission to. The page should look similar +to the screenshot below, although it will probably have a logo specific to the +organization you are submitting to. |Source Interface With Javascript Enabled| -If this is the first time you're using the Tor browser, it's likely that you have Javascript enabled. If you do, there will be a red warning banner at the top of the page that encourages you to disable it. +If this is the first time you're using the Tor browser, it's likely that you +have Javascript enabled and that the Security Slider that Tor browser provides +is set to "Low". If you do, there will be a red warning banner at the top of +the page that encourages you to disable Javascript and turn up the Security +Slider to "High". -Click the ``Learn how to disable it`` link in the warning banner and a message bubble will pop up explaining how to disable Javascript. Follow the instructions and the page should refresh automatically. Note that this will disable Javascript for every page in your Tor Browser, and this setting will persist across browser sessions. +|Security Slider| + +Click the ``Learn how to disable it`` link in the warning banner and a message +bubble will pop up explaining how to disable Javascript and turn up the Slider. +Follow the instructions and the page should refresh automatically. Note that +this will change the slider and disable Javascript for every page in your Tor +Browser, and this setting will persist across browser sessions. |Fix Javascript warning| -The page should now look similar to the screenshot below. If this is the first time you are using SecureDrop, click the ``Submit Documents`` button. +The page should now look similar to the screenshot below. If this is the first +time you are using SecureDrop, click the ``Submit Documents`` button. |Source Interface with Javascript Disabled| -You should now see a screen that shows the unique codename that SecureDrop has generated for you. In the example screenshot below the codename is ``sink los radium bcd nab privy nadir``, but yours will be different. It is extremely important that you both remember this code and keep it secret. After submitting documents, you will need to provide this code to log back in and check for responses. +You should now see a screen that shows the unique codename that SecureDrop has +generated for you. In the example screenshot below the codename is +``sink los radium bcd nab privy nadir``, but yours will be different. It is +extremely important that you both remember this code and keep it secret. After +submitting documents, you will need to provide this code to log back in and +check for responses. -The best way to protect your codename is to memorize it. If you cannot memorize it right away, we recommend writing it down and keeping it in a safe place at first, and gradually working to memorize it over time. Once you have memorized it, you should destroy the written copy. +The best way to protect your codename is to memorize it. If you cannot memorize +it right away, we recommend writing it down and keeping it in a safe place at +first, and gradually working to memorize it over time. Once you have memorized +it, you should destroy the written copy. -SecureDrop allows you to choose the length of your codename, in case you want to create a longer codename for extra security. Once you have generated a codename and put it somewhere safe, click ``Continue``. +SecureDrop allows you to choose the length of your codename, in case you want +to create a longer codename for extra security. Once you have generated a +codename and put it somewhere safe, click ``Continue``. |Memorizing your codename| @@ -145,6 +169,7 @@ Repeat these steps to continue communicating with the journalist. .. |Source Interface with Javascript Enabled| image:: images/manual/source-step1.png +.. |Security Slider| image:: images/manual/security-slider-high.png .. |Fix Javascript warning| image:: images/manual/source-step2.png .. |Source Interface with Javascript Disabled| image:: images/manual/source-step3-and-step7.png .. |Memorizing your codename| image:: images/manual/source-step4.png diff --git a/securedrop/source_templates/banner_warning_flashed.html b/securedrop/source_templates/banner_warning_flashed.html index cb2c2bf07d..da8e0a5e7a 100644 --- a/securedrop/source_templates/banner_warning_flashed.html +++ b/securedrop/source_templates/banner_warning_flashed.html @@ -1,6 +1,7 @@ {# these are flash messages that appear at the top and are really scary, like if you're using tor2web #} {% with messages = get_flashed_messages(with_categories=True, category_filter=["banner-warning"]) %} {% for category, message in messages %} -

{{ message|safe }}

+

+ {{ message|safe }}

{% endfor %} {% endwith %} diff --git a/securedrop/source_templates/flashed.html b/securedrop/source_templates/flashed.html index faa6e70581..578b87108d 100644 --- a/securedrop/source_templates/flashed.html +++ b/securedrop/source_templates/flashed.html @@ -4,9 +4,9 @@ {% if category != 'banner-warning' %}

{% if category == 'notification' %} - + {% elif category == 'error' %} - + {% endif %} {{ message }}

diff --git a/securedrop/source_templates/generate.html b/securedrop/source_templates/generate.html index 94db0a1ac6..5b7c79c041 100644 --- a/securedrop/source_templates/generate.html +++ b/securedrop/source_templates/generate.html @@ -7,7 +7,8 @@

Remember this codename and keep it secret


-

{{ codename }}

+ +

{{ codename }}

@@ -17,7 +18,7 @@

Remember this codename and keep it secret

{% endfor %}
@@ -35,7 +36,9 @@

Remember this codename and keep it secret

- + Already have a codename?
{% endblock %} diff --git a/securedrop/source_templates/howto-disable-js.html b/securedrop/source_templates/howto-disable-js.html index 7bf97841a1..84ccdcfc34 100644 --- a/securedrop/source_templates/howto-disable-js.html +++ b/securedrop/source_templates/howto-disable-js.html @@ -1,7 +1,7 @@ {% extends "base.html" %} {% block body %} -

Disable JavaScript to Protect Your Anonymity

+

Turn the Security Slider to High to Protect Your Anonymity

JavaScript is a widely used programming language for creating interactive web pages. Unfortunately, JavaScript is also the most common source of security @@ -10,8 +10,8 @@

Disable JavaScript to Protect Your Anonymity

We encourage SecureDrop users to disable JavaScript to protect themselves from malware that would use it to attack their browser and potentially de-anonymize them. There are other ways to get hacked, but given the use of JavaScript-based attacks recently, we believe it is prudent to disable it at this time.

-

The Tor Browser comes with an add-on called NoScript that can be used to completely disable JavaScript by default, and to only enable it for sites that you trust.

+

The Tor Browser comes with a security slider that will disable Javascript as well as protect against other methods that can be used to reveal your true identity.

-

To disable JavaScript in Tor Browser, click the NoScript icon to the left of the address bar above and choose "Forbid Scripts Globally (advised)".

+

To turn up the security settings, click the Tor icon Tor icon to the left of the address bar, select Privacy and Security Settings, and turn the slider to High.

{% endblock %} diff --git a/securedrop/source_templates/index.html b/securedrop/source_templates/index.html index a561348e51..292a531c99 100644 --- a/securedrop/source_templates/index.html +++ b/securedrop/source_templates/index.html @@ -13,7 +13,7 @@ {% endassets %} -
We recommend disabling JavaScript to protect your anonymity: Learn how to disable it, or ignore this warning to continue.
+
We recommend disabling JavaScript and turning the Security Slider to High to protect your anonymity: Learn how to disable it, or ignore this warning to continue.
{% include 'banner_warning_flashed.html' %} @@ -36,7 +36,7 @@


If this is your first time submitting documents to journalists, start here.

- Submit Documents + Submit Documents

@@ -44,7 +44,7 @@


If you have already submitted documents in the past, log in here to check for responses.

- Check for a response + Check for a response
@@ -61,12 +61,14 @@

Included here so the images can preload while the user is first reading the page. Hidden by default. -->
-

You appear to be using the Tor Browser. You can disable Javascript in 3 easy steps!

+

You appear to be using the Tor Browser. You can disable Javascript and turn the Security Slider to High in 4 easy steps!

    -
  1. Click the NoScript icon NoScript icon in the toolbar above
  2. -
  3. Click Forbid Scripts Globally Forbid Scripts Globally (advised)
  4. +
  5. Click the Tor iconTor icon in the toolbar above
  6. +
  7. Click Privacy and Security Settings
  8. +
  9. Turn the Slider to High
  10. If the page does not refresh automatically, click here to refresh the page
+

Not using the Tor Browser Bundle?

diff --git a/securedrop/source_templates/login.html b/securedrop/source_templates/login.html index d2bc337812..f531a881f0 100644 --- a/securedrop/source_templates/login.html +++ b/securedrop/source_templates/login.html @@ -8,6 +8,6 @@

Login to check for responses

-

+

{% endblock %} diff --git a/securedrop/source_templates/lookup.html b/securedrop/source_templates/lookup.html index ee5a623f67..12118fe09e 100644 --- a/securedrop/source_templates/lookup.html +++ b/securedrop/source_templates/lookup.html @@ -5,7 +5,7 @@ {% include 'flashed.html' %} {% if flagged and not haskey %} -

A journalist has been waiting for you to log in again so SecureDrop can generate a crypto key for you. Now that you have logged in, they are able to write you a reply. Check back later for replies.

+

A journalist has been waiting for you to log in again so SecureDrop can generate a crypto key for you. Now that you have logged in, they are able to write you a reply. Check back later for replies.

{% endif %}

Submit documents and messages

@@ -17,8 +17,9 @@

Submit documents and messages

-
- +
+ +

Maximum upload size: 500 MB

@@ -28,7 +29,9 @@

Submit documents and messages


- +

Tip: If you are already familiar with GPG, you can optionally encrypt your files and messages with our public key before submission. Files are encrypted as they are received by SecureDrop; encrypting before submission provides an extra layer of security before your data reaches SecureDrop. Learn more.

@@ -47,7 +50,8 @@

Replies

- Delete + +

Delete this reply? Cancel @@ -77,7 +81,8 @@

Replies

- Remember your codename is: + + Remember your codename is:

{{ codename }}

diff --git a/securedrop/static/i/font-awesome/black/cloud-upload.svg b/securedrop/static/i/font-awesome/black/cloud-upload.svg new file mode 100644 index 0000000000..bd454e5b3c --- /dev/null +++ b/securedrop/static/i/font-awesome/black/cloud-upload.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/black/exclamation-triangle.svg b/securedrop/static/i/font-awesome/black/exclamation-triangle.svg new file mode 100644 index 0000000000..42836e9f1c --- /dev/null +++ b/securedrop/static/i/font-awesome/black/exclamation-triangle.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/black/info-circle.svg b/securedrop/static/i/font-awesome/black/info-circle.svg new file mode 100644 index 0000000000..df27fca80c --- /dev/null +++ b/securedrop/static/i/font-awesome/black/info-circle.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/black/info.svg b/securedrop/static/i/font-awesome/black/info.svg new file mode 100644 index 0000000000..7206c1af35 --- /dev/null +++ b/securedrop/static/i/font-awesome/black/info.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/black/lock.svg b/securedrop/static/i/font-awesome/black/lock.svg new file mode 100644 index 0000000000..70bee8f458 --- /dev/null +++ b/securedrop/static/i/font-awesome/black/lock.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/black/times.svg b/securedrop/static/i/font-awesome/black/times.svg new file mode 100644 index 0000000000..f063b3df42 --- /dev/null +++ b/securedrop/static/i/font-awesome/black/times.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/black/trash.svg b/securedrop/static/i/font-awesome/black/trash.svg new file mode 100644 index 0000000000..e7c9806be9 --- /dev/null +++ b/securedrop/static/i/font-awesome/black/trash.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/upload.png b/securedrop/static/i/font-awesome/upload.png new file mode 100644 index 0000000000..a4f89b32b7 Binary files /dev/null and b/securedrop/static/i/font-awesome/upload.png differ diff --git a/securedrop/static/i/font-awesome/white/arrow-circle-o-right.svg b/securedrop/static/i/font-awesome/white/arrow-circle-o-right.svg new file mode 100644 index 0000000000..1f77845032 --- /dev/null +++ b/securedrop/static/i/font-awesome/white/arrow-circle-o-right.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/white/cloud-upload.svg b/securedrop/static/i/font-awesome/white/cloud-upload.svg new file mode 100644 index 0000000000..4eac0d5faf --- /dev/null +++ b/securedrop/static/i/font-awesome/white/cloud-upload.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/white/comments.svg b/securedrop/static/i/font-awesome/white/comments.svg new file mode 100644 index 0000000000..3f898e7c61 --- /dev/null +++ b/securedrop/static/i/font-awesome/white/comments.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/white/refresh.svg b/securedrop/static/i/font-awesome/white/refresh.svg new file mode 100644 index 0000000000..8a751dd9a8 --- /dev/null +++ b/securedrop/static/i/font-awesome/white/refresh.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/static/i/font-awesome/white/times.svg b/securedrop/static/i/font-awesome/white/times.svg new file mode 100644 index 0000000000..cd7f25983a --- /dev/null +++ b/securedrop/static/i/font-awesome/white/times.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/securedrop/tests/test_unit_source.py b/securedrop/tests/test_unit_source.py index 77eabfaa6a..ca5b47621a 100644 --- a/securedrop/tests/test_unit_source.py +++ b/securedrop/tests/test_unit_source.py @@ -291,7 +291,7 @@ def test_why_journalist_key(self): def test_howto_disable_js(self): rv = self.client.get('/howto-disable-js') self.assertEqual(rv.status_code, 200) - self.assertIn("Disable JavaScript to Protect Your Anonymity", rv.data) + self.assertIn("Turn the Security Slider to High to Protect Your Anonymity", rv.data) @patch('crypto_util.hash_codename') def test_login_with_overly_long_codename(self, mock_hash_codename):