2011年05月07日

WSJ紙設立のWL型告発サイト「セーフハウス」は信用に足りず

ウィキリークスに対抗してウォールストリート・ジャーナル紙が設立した内部告発サイト「セーフハウス」が、公開後わずか1日で、利用者に匿名性を保証できない失敗サイトの烙印を捺されたようです。

Wall Street Journal faces backlash over WikiLeaks rival
SafeHouse criticised as a 'total anonymity failure'
by web security and privacy experts


Josh Halliday

guardian.co.uk, Friday 6 May 2011 14.21 BST
http://www.guardian.co.uk/media/2011/may/06/wall-street-journal-wikileaks-safehouse


The Wall Street Journal is facing a backlash from web security and privacy experts over its WikiLeaks-inspired whistleblowers' site, SafeHouse.

SafeHouse, which launched on Thursday to allow anyone to upload documents to the Journal, has been described by one encryption analyst as a "total anonymity failure" that could compromise the security of whistleblowers.

Other researchers have told the Guardian that SafeHouse needs "basic improvements" and that – in its current state – should not have been launched.

"These are technical issues that only technical experts will notice," said Rik Ferguson, a security analyst at Trend Micro. "But given the kind of data that the Journal will hope to get from this, if I [was a whistleblower] there would absolutely be enough for me not to choose that site to upload to.

"There are certainly some relatively basic improvements that could and should have been made before the site went live."

Jacob Appelbaum, a security researcher and senior developer on the Tor online anonymity network, was also critical of SafeHouse: "They're negligent and this is the wrong project to beta-test on an open internet," he said.

Within hours of SafeHouse being launched, security experts pointed out that the site has an insecure way of redirecting whistleblowers who visit the unencrypted version of the site. "This leaves any potential whistleblower open to the chance of getting their traffic – and any documents they're uploading – intercepted by someone on the same network," said Ferguson.

SafeHouse's terms and conditions includes a disclaimer that it "cannot ensure complete anonymity" of whistleblowers who opt to use the most secure form of uploading to the site – and recommends using "cloaking" tools such as Tor, which hide the online identities of web users.

However, uploading from Tor did not work on Thursday or Friday when tested by security researchers. "This is quite worrying and makes you think that it's quite risky if you're going to put information on there," Paul Mutton, a web security tester, told the Guardian.

Mutton added it was also "surprising" the Journal had not opted for an independently-verified SSL certificate – as used by PayPal and other companies which transmit sensitive information – which notifies site visitors of its enhanced protection with a green address bar.

"Not only would this instil more confidence in submitters, but it would also be more difficult for someone else to impersonate the site," Mutton said.

SafeHouse is also facing criticism for its terms and conditions, which state the Journal "reserve[s] the right to disclose any information about you to law enforcement authorities or to a requesting third party, without notice, in order to comply with any applicable laws and/or requests under legal process [...]".

The Journal confirmed to the Guardian on Friday that it would shortly update SafeHouse in an attempt to eliminate some potential vulnerabilities.

Ashley Hutson, a spokeswoman for the Journal, said: "We take these issues very seriously. Development for eliminating the Flash dependency, which is required for Tor compatibility, is complete, and we expect to implement the update within 48 hours.

"In addition, our system has been updated to limit the types of less secure connections it will accept. As is standard procedure, we will continue to assess new specifications and analyse any potential situation that may impact the privacy of our users.

"Our priority is to ensure that SafeHouse fulfils its mission as a secure location that provides sources with access to highly skilled, experienced journalists."

posted by nfsw19 at 22:00| Comment(0) | TrackBack(0) | Guardian | このブログの読者になる | 更新情報をチェックする
この記事へのコメント
コメントを書く
お名前:

メールアドレス:

ホームページアドレス:

コメント:


この記事へのトラックバック
×

この広告は1年以上新しい記事の投稿がないブログに表示されております。