Wall Street Journal’s WikiLeaks Clone Gets Low Marks from Security Watchers
Despite a history of bashing WikiLeaks in its editorial pages, yesterday, the Wall Street Journal launched a whistleblower site of its own called SafeHouse, the aim of which is to allow potential leakers to keep their identities confidential while using “a special system built to be secure.” Whatever opinion one holds of WikiLeaks, however, SafeHouse is probably not the best option for would-be whistleblowers: It has gotten low marks on both preserving confidentiality and observing good web security practices.
First, one Hacker News user points out the differences in each site’s confidentiality clauses:
WSJ Terms about Confidentiality:
3. Request Confidentiality: If you would like us to consider treating your submission as confidential before providing any materials, please make this request through this online submission form. Please note that until we mutually decide to enter into a confidential relationship, any information you send to us (including contact information) can be used for any purpose, as outlined in point 1 above, and described more fully below in the Limitations section). If we enter into a confidential relationship, Dow Jones will take all available measures to protect your identity while remaining in compliance with all applicable laws.
2.3 Protection for you
Wikileaks does not record any source-identifying information and there are a number of mechanisms in place to protect even the most sensitive submitted documents from being sourced. We do not keep any logs. We can not comply with requests for information on sources because we simply do not have the information to begin with. Similarly we can not see your real identity in any anonymised chat sessions with us. Our only knowledge of you as a source is if you provide a coded name to us. A lot of careful thought by world experts in security technologies has gone into the design of these systems to provide the maximum protection to you. Wikileaks has never revealed a source.
On the one hand, there’s a downside to the WikiLeaks approach: Without knowing much of anything about its sources, it can potentially fall victim to bad or planted leaks. However, the WSJ approach means that when getting in touch with the Journal even to request confidentiality, a would-be source doesn’t yet have it, and is exposed if the Journal doesn’t want to play ball. One suspects that this is not the place to go to release a damaging leak about News Corporation.
Also of concern are the security flaws that have been found on SafeHouse: The Tor Foundation’s Jacob Appelbaum, a supporter of WikiLeaks, says that SafeHouse’s website does not follow good SSL practices, leaving users vulnerable to man-in-the-middle eavesdroppers within their own networks — not just an academic concern in government or corporate environments in which one is considering releasing sensitive information.
Appelbaum points out that it doesn’t use a mechanism called Strict Transport Security to switch from the insecure to the encrypted connection. So any lurking man-in-the-middle on the user’s network can use a tool like SSL Strip to make it appear that he or she has entered the encrypted version of the site when in fact the traffic is unprotected.
Appelbaum says that SafeHouse’s SSL server also allows users to connect with many forms of encryption that lack what cryptographers call “perfect forward secrecy,” a mechanism based on using temporary keys that can’t decrypt past messages. “That means anyone who takes their server or breaks into it could decrypt all their previous traffic,”