May 7, 12:29 a.m. | Updated Updating Qualys’s rating of SafeHouse’s encryption.
The Wall Street Journal on Thursday introduced SafeHouse, a Web site that takes a page from WikiLeaks by inviting whistleblowers to submit tips and documents. But within hours, security researchers were challenging the notion that the site was safe for leakers. And on Friday, The Journal said it was rushing through technical changes to address the problems.
According to the researchers, the way SafeHouse uses Web encryption technology known as HTTPS opens the site up for attacks, and is not rigorous enough for a site that handles highly sensitive communications. They also said they were troubled that SafeHouse used Adobe Flash for uploading documents, a technology that can help strip leakers of anonymity.
The problems were the subject of a barrage of messages on Twitter on Thursday afternoon by Jacob Appelbaum, a developer for the Tor Project, which provides tools for anonymous online communication used by dissidents, whistleblowers, journalists and others. Mr. Appelbaum was formerly associated with Wikileaks. “Pro-tip: if you’re going to create a document leaking website – have a clue!” he wrote.
The Journal said in an e-mailed statement that it was taking the issues raised “very seriously” and that it would end its use of Flash within 48 hours. “In addition, our system has been updated to limit the types of less secure connections it will accept,” it said.
SafeHouse’s terms of service encourage whistleblowers to improve their security by using tools like Tor that provide anonymity. However, both Mr. Appelbaum and Peter Eckersley, a senior staff technologist at the Electronic Frontier Foundation, a digital rights group, said Adobe Flash defeated? those tools.
Mr. Eckersley said the problem was with a Flash feature called Flash Socket Class, which would allow SafeHouse to discover a user’s real IP address, regardless of any anonymizing technologies that might be in use. As such, The Journal could identify people who upload documents, or be forced by the government to do so. News organizations like The Journal are accustomed to protecting sources, including from the government, but having the information could open it up to legal difficulties.
The E.F.F. said that it raised its concerns about Flash Socket Class in March 2010 with Adobe’s chief privacy officer, MeMe Rasmussen, and that the company said the issue would be hard to fix but that it would work on it. An Adobe spokeswoman was not immediately able to provide comment.
The way HTTPS is used by SafeHouse would not be problematic for an average Web site, said Ivan Ristic, director of engineering at Qualys and founder of a research effort called SSL Labs. However, it did not cover all the bases necessary to ensure that a user couldn’t be fooled into engaging in unencrypted communication.
Dan Kaminsky, chief scientist at the security firm DKH, said even major banks did not use the advanced technologies in question. Those technologies are “nice to have,” but can cause other problems, he said, and their absence does not make a site unsafe.
Mr. Ristic said it was also troubling that SafeHouse was using algorithms known as cipher suites that are not strong enough to ensure that recorded communications cannot be deciphered later if the key to them is somehow obtained.
On Friday afternoon, Qualys was giving SafeHouse a grade of B on its use of encryption, in large measure due to poor cipher strength. But by Friday evening, its use of cipher technology was getting higher marks, and Qualys raised its grade to an A.
“Hopefully we’ll see this WSJ site moving toward a truly secure deployment,” Mr. Eckersley of the E.F.F. said. “That kind of i-dotting and t-crossing is necessary to be safe against some of the attacks we’ve seen used against HTTPS Web sites in recent years.”
没有评论:
发表评论