The Wall Street Journal today launched its own version of Wikileaks called WSJSafehouse. The site, which follows other media-sponsored drop boxes like Al Jazeera's Transparency Unit, is a document-sharing portal where users are meant to upload whistle-blowing photos or documents securely so that reporters at the paper can make them public. The launch made some news today because the Journal beat The New York Times (which has collaborated with Wikileaks in the past) and the Washington Post to the punch in creating their own, similar sites. But at least one privacy expert says the site is full of security holes
Privacy activist and Web security expert Jacob Appelbaum says technical details about the site's security are troubling enough that it shouldn't be trusted. Appelbaum is a developer with the Tor project, which produces a way to anonymously access the web. The Journal suggests using Tor to more securely upload documents to the site, but Appelbaum told The Atlantic Wire that using the site with Tor doesn't work. Applebaum cites other flaws in the Journal site's security like the use of a page that bounces visitors from a normal HTTP address to a more secure HTTPS page. He says an attacker could exploit that bounce by getting in the middle of it and redirecting a user to a fraudulent site, or by monitoring the uploads of documents.
"There are ways potentially to trick a user into visiting a site that is not their site. And even if you use their 'secure' site, it is not reasonably secured," Appelbaum says. "The problems include the redirect page, the apparent use of Flash, no strict transport security, and the wording of the terms of service. And it uses a security certificate that appears to be invalid."
Appelbaum also pointed to the Journal's use of Flash to build its site, which he considers "very bad" for those concerned with online privacy. "If you were using a proxy, Flash may not respect your proxy settings. A malicious Flash applet may acquire your name or your computer's name and you would never know it," he said.
In addition, Appelbaum and others have pointed to troubling wording in the terms of service on the WSJSafehouse site. Users who don't read through the terms won't learn that unless they specifically request anonymity the Journal's parent company Dow Jones "does not make any representations regarding confidentiality." Even if they do request anonymity the terms state: "If we enter into a confidential relationship, Dow Jones will take all available measures to protect your identity while remaining in compliance with all applicable laws." Since there is no federal shield law, that means documents and their suppliers could be subpoenaed, and might be surrendered.
"I’m sure they’ll fix this in good time, but to give you an example, I thought about leaking them all this information through their leaking interface, but I couldn’t use their interface with Tor. And I’m a Tor developer," Appelbaum said.