Friday, May 6, 2011

Researchers Say WSJ’s WikiLeaks Copycat Is Full Of Holes


The Wall Street Journal wants a WikiLeaks of its own: a conduit for sources to securely submit large caches of data to the site’s reporters. But some security researchers say the Journal has yet to learn a basic rule of digital whistleblowing: leaking sites aren’t meant to leak.
SafeHouse, the newspaper’s WikiLeaks-inspired submissions site, launched Thursday with a promise to allow sources to “securely share information with the Wall Street Journal.” But within hours, the security community was pointing to flaws in the site’s protections for anonymous leakers and the fine print of its policy for source protections that could give away the identities of would-be whistleblowers.
“Pro tip: if you’re going to create a document leaking website – have a clue!” wrote security research Jacob Appelbaum in his Twitter feed.
Appelbaum, a developer for the Tor anonymity network and a past volunteer for WikiLeaks, says that SafeHouse insecurely implements Secure Socket Layer (SSL) encryption, the protection meant to render any data passed between a user and a website unreadable. When a visitor goes to http://wsjsafehouse.com, for instance, that unencrypted site offers a link to the encrypted HTTPS version of the site. But Appelbaum points out that it doesn’t use a mechanism called Strict Transport Security to switch from the insecure to the encrypted connection. So any lurking man-in-the-middle on the user’s network can use a tool like SSL Strip to make it appear that he or she has entered the encrypted version of the site when in fact the traffic is unprotected.
Appelbaum says that SafeHouse’s SSL server also allows users to connect with many forms of encryption that lack what cryptographers call “perfect forward secrecy,” a mechanism based on using temporary keys that can’t decrypt past messages. “That means anyone who takes their server or breaks into it could decrypt all their previous traffic,” says Appelbaum, who claims to offer his opinion as a Tor developer and not as any sort of WikiLeaks associate.
To be fair, not even WikiLeaks itself has always handled security features like SSL perfectly. In June of last year, the group’s submissions site went down temporarily when the group failed to renew its SSL certificate. WikiLeaks hasn’t maintained a submissions site since last fall.
But even if SafeHouse’s technology were implemented securely, its legalese still gives the site leeway to betray the identity of users who don’t use their own separate anonymity software or go through a formal “confidentiality request” process. Rebecca Mackinnon, a research fellow at the New American Foundation, pointed out on Twitter that the site’s terms of use allow the Journal to turn over sources’ identities to law enforcement in any case where the source hasn’t made that special request for anonymity: “We reserve the right to disclose any information about you to law enforcement authorities or to a requesting third party, without notice, in order to comply with any applicable laws and/or requests under legal process,” the terms read.
Even in cases where the source has been granted anonymity, the Journal’s parent company Dow Jones only promises to safeguard that source’s anonymity “while remaining in compliance with all applicable laws.” As in any situation where law enforcement subpoenas information from a reporter, the choice will be left to Dow Jones whether to give up its source or violate the subpoena.
SafeHouse recommends that users who don’t want to be identified run Tor, an anonymity tool that hides their origin. But Appelbaum points out that the use of Flash in SafeHouse’s submission’s system isn’t compatible with Tor.
Update: Ashley Hutton, a Journal spokesperson, responded in a statement that SafeHouse is working to fix that Tor problem sometime over the weekend, and has already been updated to use only more secure types of encryption. “As is standard procedure, we will continue to assess new specifications and analyze any potential situation that may impact the privacy of our users,” she writes in a statement. “Our priority is to ensure that SafeHouse fulfills its mission as a secure location that provides sources with access to highly skilled, experienced journalists.
In response to criticism of the site’s terms of use, she writes: “There is nothing more sacred than our sources; we are committed to protecting them to the fullest extent possible under the law. Because there is no way to predict the breadth of information that might be submitted through SafeHouse, the Terms of Use reserve certain rights in order to provide flexibility to react to extraordinary circumstances. But as always, our number one priority is protecting our sources.”
Meanwhile, the submission page on SafeHouse simply states that “You can be anonymous by not providing your name and contact information on this page,” with no mention of the site’s legal or technical vulnerabilities. Appelbaum calls that anonymity claim a “blatant lie.”
WikiLeaks’ founder Julian Assange has been supportive of the idea of copycat sites in the past. In a November interview, he said that the creation of more leaking sites would be “protective” to WikiLeaks. But he’s also warned users against direct-to-newspaper leak sites, and criticized the Guardian’s and New York Times‘ handling of confidential information.

 

 

 

 

o
Share/Bookmark

No comments:

Post a Comment