Former WikiLeaks Volunteer Jacob Appelbaum Criticizes WSJ’s WikiLeaks Competitor For Insecure SSL Encryption
Yesterday I wrote about a new website called SafeHouse. SafeHouse is The Wall Street Journal’s WikiLeaks competitor. The Wall Street Journal said that those who submit whistle-blower documents to SafeHouse will be guaranteed anonymity through encryption. Jacob Appelbaum, a former WikiLeaks volunteer, and a developer of the Tor anonymity network, immediately noticed flaws with SafeHouse.
Appelbaum said that SafeHouse had insecurely implemented Secure Socket Layer (SSL) encryption. When someone visits wsjsafehouse.com, the unencrypted website offers a link to the HTTPS encrypted version, but it does not use Strict Transport Security to switch insecure connections to an encrypted connection.
Appelbaum also pointed out that SafeHouse’s SSL server allows people to connect to forms of encryption that lack perfect forward secrecy. “That means anyone who takes their server or breaks into it could decrypt all their previous traffic,” stated Appelbaum.
The Wall Street Journal reserves the right to disclose any information to law enforcement authorities without notice unless that individual or group makes a special request for anonymity. SafeHouse recommend people to use Tor to hide their origin, but Tor is not compatible with SafeHouse’s Flash-based submission system. SafeHouse’s website states “You can be anonymous by not providing your name and contact information on this page,” but Appelbaum called this statement a “blatant lie.”
[Forbes]This article was written by Amit Chowdhry. You can follow me at @amitchowdhry or on Google+ at +AmitChowdhry