Andy Greenberg of Forbes reports that the Safehouse site launched by The Wall Street Journal on Thursday for sources to provide documents and information has problems that would allow for those sources to be identified.
The Journal has issued a statement on Friday saying that it is working to correct the problems.
Greenberg writes, “But within hours, the security community was pointing to flaws in the site’s protections for anonymous leakers and the fine print of its policy for source protections that could give away the identities of would-be whistleblowers.
“‘Pro tip: if you’re going to create a document leaking website – have a clue!’ wrote security research Jacob Appelbaum in his Twitter feed.
“Appelbaum, a developer for the Tor anonymity network and a past volunteer for WikiLeaks, says that SafeHouse insecurely implements Secure Socket Layer (SSL) encryption, the protection meant to render any data passed between a user and a website unreadable. When a visitor goes to http://wsjsafehouse.com, for instance, that unencrypted site offers a link to the encrypted HTTPS version of the site. But Appelbaum points out that it doesn’t use a mechanism called Strict Transport Security to switch from the insecure to the encrypted connection. So any lurking man-in-the-middle on the user’s network can use a tool like SSL Strip to make it appear that he or she has entered the encrypted version of the site when in fact the traffic is unprotected.”
Read more here.