About Hush Line
Hush Line is a secure, open source, and anonymous whistleblowing platform. The free, text-only service (it is not possible to send or receive potentially harmful files) does not require tip-line owners to use any personally identifying information—not even an email address—and scrubs access logs of IP addresses and country codes. In addition, tip submitters are not required to create an account.
For users with advanced privacy needs, Hush Line offers an Onion service, which can be accessed using the Tor Browser—making connections and activity completely anonymous.
Version 1 of Hush Line runs on a standalone Personal Server device that connects over Tor, or can be self-hosted. It is designed to limit the possible attack surface—user accounts and a back-end database are not included. Version 2 provides a more feature-rich, “managed service” that includes administrative roles, some third-party integrations, and additional database services.
Audit Scope
Through OTF’s Security Lab, Subgraph performed a security audit covering both versions of Hush Line: the v1 application for the Personal Server device or self-hosted instances, and the v2 “Managed Service.”
The audit included a source code review of Hush Line’s v1 branches and a targeted analysis of PGPy (a Python library that conforms to the OpenPGP specification), followed by a source code review of the v2 managed application, including automated and manual testing and testing via user and administrator access.
Findings
For version 1 of Hush Line, auditors found that the “minimalistic” nature of the application—no user accounts, no back-end database, no access except via Tor—helps reduce the attack surface. The blocking of the Secure Shell (SSH) protocol (a method for securely sending commands to a computer over an unsecure network) and the absence of JavaScript further support security. To enhance security, Subgraph recommended:
- Disabling SSH altogether
- Changing the recommended OS for Raspberry Pi implementations to Raspberry Pi Lite, providing “a base OS with the least amount of software needed”
- Investigating a shift from the Debian OS “unattended upgrades” feature (which automatically keeps a computer up to date with the latest security and other updates) to a static security analysis approach (which can help eliminate issues at the code level)
The auditors also noted that the use of the Tor network can allow users connecting anonymously to inadvertently create a Denial of Service (DoS) attack by sending a large number of requests, or fail to block intentional DoS attacks because “legitimate and abusive traffic may originate from the same Tor exits.” The testers were unable to force rate limiting rules that could effectively counter this risk.
For the version 2 “managed service” application of Hush Line, the auditors found that functions including authentication, user privilege levels, message encryption, and the web application all provided sound protection and security. They did note some risks associated with this version though, including:
- The risk of structured query language (SQL) injection attacks, for instance through privilege escalation to user and administrative accounts (a SQL injection is a cyber attack that uses malicious SQL code to access sensitive data from a database)
- Potential exposure of personally identifiable information when it is encrypted in a local database using a symmetric key
- The liability of the “multi-tenant” set up in which different organizations share the same server and database—if the application or underlying host is compromised, the other “tenants” or organizations might be as well
To mitigate some of these risks, auditors suggested database hardening by restricting the database’s ability to read and write local files—for instance by disabling the local-infile setting of the MariaDB database—and separating tenants to insulate them if one is compromised.
The auditors also noted the potential vulnerabilities in the OpenPGP libraries used in Hush Line v1 and v2, with a recommendation to use GnuPGP.
Remediation
After the Hush Line team received the initial findings from Subgraph in April 2024, several of the audit’s recommendations were implemented, including:
- A switch to Raspberry Pi OS Lite as the base operating system
- Providing a single tenant option for organizations seeking to lower risk by isolating their managed service
- A change in database from MariaDB to SQLite, reducing the attack surface at the database layer
- Implementation of the Flask-Limiter library to enable rate limiting (to help prevent DoS attacks)
- A switch to the psysequoia library, based on the Sequoia implementation of OpenPGP, avoiding the auditors’ concerns about GnuPGP and providing a better maintained library than PGPy.
At the time of the audit report, Hush Line was still investigating options for static security analysis, such as OWASP dep-scan.