WikiLeakS.org restores SSL encryption for submissions upload form, but not for downloads as before

| | Comments (2)

Perhaps as a result of the recent publicity in Wired magazine about their broken security technology promises and systems, which this blog has been commenting on for a while, WikiLeakS.org now appear to have brought back their SSL / TLS session encrypted web form, for "secure" Uploads of electronic documents to the website..

wl_upload_form_1.jpg

No announcement or explanation or apology

Typically this has been done without any explanation or apology, on the main web site or via the Wikileaks Twitter propaganda broadcasts or press release emails.

Neither has there been any announcement or discussion of this major development on the as yet unused new Official Wikileaks Blog:

This blog is to discuss technical or community issues related to WikiLeaks and Sunshine Press that do not have a natural fit on the main WikiLeaks pages.

Note that the word "blog", like the word "wiki", has been redefined in WikiLeakS.org's Orwellian newspeak - they really mean "another channel for propaganda broadcasts, which does not allow any feedback via comments from the public", the very opposite of their usual meanings.

As always with WikiLeakS.org, there is still no clear explanation of the advantages and disadvantages or actual risks to your anonymity of using this re-launched and modified document submission method, if you are a potential whistleblower.

Worryingly, there could also be hidden tracking of the IP addresses and other web browser details of each upload submission with this new Upload Form. (see below)

Still no SSL encryption for Downloads, as there used to be

There still does not appear to be any re-introduction of the SSL / TLS encrypted web session Download option on the couple of thousand whistleblower leaked document pages, as there used to be. The only options are still the unencrypted "File" and the bittorrent Peer to Peer options "Torrent | Magnet ", which are likely to be blocked in many places.

N.B. despite the hype, there has never been "over a million" documents published on WikiLeakS.org as various media reports have claimed,
a misconception which WikiLeakS.org have deliberately never corrected.

The new Wikileaks Upload form

The new web submission form links from the main WikiLeakS.org website, as before, but instead of going to https://secure.wikileaks.org the new web form is at

https://sunshinepress.org

A positive point is that they do publish the Digital Signature hashes which correspond to this
correspond to the new Digital Certificate:

Before submitting anything verify that the fingerprints of the SSL certificate match!
SHA256 85:C3:77:8E:7F:BC:96:42:CF:EE:03:B0:AC:4A:2A:26:15:18:CB:50:41:EC:7A:2A:CC:9F:56:60:67:94:04:7E
SHA1 68:C3:4B:3D:05:7A:53:E3:8C:FE:71:F1:30:3D:8A:AD:8E:33:0A:76
MD5 4B:6F:6A:D8:A2:29:7F:06:F3:4F:33:EE:74:32:1C:F8

The laudable intention is to provide some sort of authentication that this data file upload form is being run by WikiLeakS.org, but not for the first time, WikiLeakS.org have made a mistake with the fundamental trust model.

However WikiLeakS.org are establishing the chain of trust from the wrong place - the new Digital Certificate and its cryptographic hash "fingerprints" help to verify that this is a sunshinepress.org web page, but they do not verify that it is a wikileaks.org one.

The Upload Form almost certainly is being run by WikiLeakS.org, only because those of us who are familiar with the history of WikiLeakS.org and who have carefully explored that website, will notice that that the WikiLeakS.org Contact Page now exclusively publishes contact email addresses using

@sunshinepress.org

The sunshinepress.org domain name has been a "cover name" since the beginning of the project and has been used to help collect financial donations.

Given the risks of DNS poisoning or Man-in-the-Middle attacks, WikiLeakS.org should have published these hash values on a WikiLeaks.org web page, certainly not just on the unfamiliar to most people, sunshinepress.org one.

Anyone familiar with fake internet banking "phishing" websites should have noticed this error.

The web form retains what may be the the original submission system's delayed publication / embargo request facility.

The old scheme used to explain that there was a deliberate, random delay between submission and publication, in order to help to confuse Communications Data Traffic Analysis, but perhaps, like so much else, this was not true, and just relied on the editorial approval process to introduce a delay.

It is unclear if any of this still applies with the new Upload Form.

Making a hash of the footnote

The footnote which repeats the SHA1 cryptographic hash of the Web Server's Digital Certificate, which appears on each of the subsequent pages during the data file upload process, is a bit confusing.

Each of the Leaked Document pages publishes, from the previous "secure" submission system is published with a cryptographic hash of the file which was uploaded e.g.

Cryptographic identity SHA256 27b41de6409afc666abd12e65de417439a78b94dbe37bfd601f02e531a2f15a3

but without giving or pointing the website visitor or the original whistleblower to any tools to use this "fingerprint" to actually verify that the file being downloaded has not been tampered with or corrupted.

Similarly, the weaker but still adequate SHA1 hash on the footnote of Upload Form pages does not actually prove that the content of each web page it appears on has not been tampered with or corrupted - it would have to be a Digital Signature for each individual page to do that, using something like PGP (which WikiLeaks.org are stupidly still boycotting).

Courage is contagious.
SHA1 68:C3:4B:3D:05:7A:53:E3:8C:FE:71:F1:30:3D:8A:AD:8E:33:0A:76

At first glance it appears to be a hash of the words "Courage is contagious", which it is not. (it is debatable if the slogan is true or not).

GlobalSign Digital Certificate

The new Digital Certificate is from a recognised commercial Certificate Authority, GlobalSign nv-sa unlike the self signed one used by the WikiLeakS.org IRQ IRC chat server.

wl_digital_certificate_1.jpg


CN = GlobalSign Domain Validation CA
O = GlobalSign nv-sa
OU = Domain Validation CA
C = BE

[...]

CN = sunshinepress.org
O = sunshinepress.org
OU = Domain Control Validated
C = SE

The GlobalSign Certificate Authority is based in Belgium, which may make it a little more resilient against a US or UK court order attempt to force them to revoke this Digital Certificate.

Lawyers have already gone after the equally neutral and illegal content free wikileaks.org domain name, so it is only a matter of time before they try the same sort of legal trickery and threat of expensive court costs, even if you win the case, with SSL Certificate Authorities as they have done with Internet Service Providers and with Domain Name registrars.

See our censorship threats from Lawyers category archive

Whether this Belgium based CA will secretly hand over the private de-cryption keys for this sunshinepress.org / wikileaks.org upload web server when faced with a Mutual Legal Aid Agreement or European Evidence Warrant from foreign intelligence or police agencies or a Belgian police warrant or Court order, remains to be seen.

At least now, this current Digital certificate from a commercial Certificate Authority is, by default, trusted by the vast majority of web browser software, which will therefore not pop up warning messages, which would certainly put off some or all sensible or paranoid whistleblowers.

Like all modern Digital Certificates it uses SHA1 and does not rely on the potentially foregable MD5 cryptographic hash, which the old WikileakS.org Digital Certificate used to.

This Digital Certificate is valid from Friday 16th July 2010 for a year:

Not Before:
16/07/2010 10:47:50
(16/07/2010 10:47:50 GMT)

Not After:
17/07/2011 10:47:46
(17/07/2011 10:47:46 GMT)

It covers 3 possible domain name aliases:

wl_digital_certificate_2.jpg

sunshinepress.org
www.sunshinepress.org
submit.sunshinepress.org

All of these domain names resolve to the same IP address that the wikileaks.org ones do i.e. to

IP address: 88.80.2.32
Host name: wikileaks.org

IP address: 88.80.2.32
Host name: sunshinepress.org

They all appear to use the same kind of Reverse Proxy Server:

Via: 1.1 https-www
Server: Sun-Java-System-Web-Server/7.0
Proxy-agent: Sun-Java-System-Web-Server/7.0
X-powered-by: Servlet/2.4

With this new Digital Certificate, WikiLeakS.org is back to the situation it was between its May re-launch and 12th June , when the old Digital Certificate was unprofessionally allowed to expire with any rollover to a new one.

Still no return of the Tor Hidden Service

There is still no Tor Hidden Service end to end encryption through the Tor anonymity cloud, like there used to be before the self-imposed shutdown of the website last Christmas 2009.

UPDATE:


http://suw74isz7wqzpmgu.onion/

has been announced on the Official Wikileaks Blog and by Jacob Applebaum standingin for Julian Assange at the HOPE hackers' conference in New York.

Potential snooping via the WikiLeaks.org Upload form

wl_upload_thank_you_1.jpg

If you click on the link on the WikiLeakS.org Upload Form to the Disclaimer link, or actually selct a local file from your computer and press the Submit button, or if you read the HTML source code of the form, you will see something like

https://sunshinepress.org/upload/A52CFA2183C87B6B2AC792FC535EC83EB9DBA669/meta

in your web browser address bar.

i.e. a dynamically generated URL, which is different for each visitor or visit to the Upload Form.

If we took a charitable view, this could simply be a badly configured database driven web page Content Management System, which is producing human unfriendly URLs.

This might make sense, if WikIleakS.org was selling the content of its web pages and wanted to track each visitor's viewing habits or if they were trying to make it more difficult for valuable digital content to be indexed by web search engines.

To have this feature only on the supposedly "secure" and document file upload web form, to a supposedly "anonymous" whistleblower website makes no sense at, unless either incompetence or deliberate snooping are involved.

How can sceptical, suspicious people like us or any sane , cautious whistleblower, be assured that the 40 character 0-9, A-F, probably hexadecimal string, is not being logged by the web server hosting infrastructure e.g. the web server(s), proxy server(s) , etc. ?

Because this "unique identifier" appears in the URL path of the multi-page web form, it is visible as Communications Traffic Data to your local Internet Service Provider and other commercial and government snoopers, regardless of the fact that the rest of the web page and your actual upload is encrypted via TLS / SSL using the web server's Digital Certificate. In the European Union, for example, this Communications Data is, by law, retained for up to 3 years.

This "unique identifier" reduces the chances of the "plausible deniability" excuse during any "leak investigation" i.e. the claim that the computer used to upload some leaked document or other was not yours, but must have been someone else's within the same organisation or another customer of the same Internet Service Provider etc.

Coupled with the lack of any explicit statement by WikilLeakS.org that no web server or firewall or intrusion detection or anti-virus scanning or reverse proxy server or traffic management or load balancer etc. infrastructure at the PRQ web hosting company in Stocholm , Sweden, does not retain any IP address or other details in their log files (as all of these internet components tend to do by default) , any cautious whistleblower should assume that their supposedly secure SSL encrypted web upload session will leave electronic traces which may very well betray their identity, especially to the Swedish police and intelligence agencies and to WikiLeakS.org insiders.

Unless and until WikIleakS.org either clearly explain these unique identifiers in the web pages, or , better still, simply remove them, then we will advice people not to use this new, supposedly secure and anonymous, whistleblower document data file upload form.

2 Comments

Jacob Appelbaum's mostly non-technical Keynote Speech, a recording of which (approx. 1 hour 20 minutes) is available at:

http://drop.io/thenexthope_wikileaks/asset/ioerror-hope-wikileaks-20100717-mp3

[link via boing boing]

At around 1 hour 5 minutes into the recording Jacob appealed to the audience of hackers, journalists, US Government agents and wannabes to widely Publicise the cryptographic hash fingerprints of the genuine wikileaks/sunshinepress Digital Certificate used on the new Wikileaks Upload pages.

However, so far, according to Google, this is the only other website which has done so (even before listening to the recording of his speech)

I worked at the Royal Hobart Hospital in Tasmania for 2 years 2007-2009. I witnessed a large amount of theft and fraud, by supervisors and senior managers. Particularly in the food services and cleaning departments. Also throughout the whole hospital of 850 full time and 2100 part time employees, there was a large amount of nepotism going on. Every manager and supervisor throughout the hospital had most of their family woking there. For any outsiders to obtain jobs a bribe to that departments manager would be required. I witnessed many thousands of dollars in food and supplies being covertly taken out side doors at nights, to supervisors and managers cars. Also many family members being given high paid senior positions with no interviews and forged application paperwork. I complained to Human Resources managers within the hospital, and was given a nice premotion with lots of overtime. This to me was utterly disgusting I left soon after. I estimate in my time working there I witnessed about 2-3 million dollars worth of stock stolen and fake overtime paid out. Overtime at $32 perhour at weekends and nights paid to supervisors family members who were not present, but were hospital employees. Regards A very dissapointed ex hospital employee.

About this blog

This blog here at WikiLeak.org (no "S") discusses the ethical and technical issues raised by the WikiLeakS.org project, which is trying to be a resource for whistleblower leaks, by providing "untraceable mass document leaking and analysis".

These are bold and controversial aims and claims, with both pros and cons, especially for something which crosses international boundaries and legal jurisdictions.

This blog is not part of the WikiLeakS.org project, and there really are no copies of leaked documents or files being mirrored here.

Email Contact

Please feel free to email us your views about this website or news about the issues it tries to comment on:

email: blog@WikiLeak[dot]org

Before you send an email to this address, remember that this blog is independent of the WikiLeakS.org project.

If you have confidential information that you want to share with us, please make use of our PGP public encryption key or an email account based overseas e.g. Hushmail

LeakDirectory.org

Now that the WikiLeakS.org project is defunct, so far as new whistleblower are concerned, what are the alternatives ?

The LeakDirectory.org wiki page lists links and anonymity analyses of some of the many post-wikileaks projects.

There are also links to better funded "official" whistlblowing crime or national security reporting tip off websites or mainstream media websites. These should, in theory, be even better at protecting the anonymity and security of their informants, than wikileaks, but that is not always so.

New whistleblower website operators or new potential whistleblowers should carefully evaluate the best techniques (or common mistakes) from around the world and make their personal risk assessments accordingly.

Hints and Tips for Whistleblowers and Political Dissidents

The WikiLeakS.org Submissions web page provides some methods for sending them leaked documents, with varying degrees of anonymity and security. Anybody planning to do this for real, should also read some of the other guides and advice to political activists and dissidents:

Please take the appropriate precautions if you are planning to blow the whistle on shadowy and powerful people in Government or commerce, and their dubious policies. The mainstream media and bloggers also need to take simple precautions to help preserve the anonymity of their sources e.g. see Spy Blog's Hints and Tips for Whistleblowers - or use this easier to remember link: http://ht4w.co.uk

BlogSafer - wiki with multilingual guides to anonymous blogging

Digital Security & Privacy for Human Rights Defenders manual, by Irish NGO Frontline Defenders.

Everyone’s Guide to By-Passing Internet Censorship for Citizens Worldwide (.pdf - 31 pages), by the Citizenlab at the University of Toronto.

Handbook for Bloggers and Cyber-Dissidents - March 2008 version - (2.2 Mb - 80 pages .pdf) by Reporters Without Borders

Reporters Guide to Covering the Beijing Olympics by Human Rights Watch.

A Practical Security Handbook for Activists and Campaigns (v 2.6) (.doc - 62 pages), by experienced UK direct action political activists

Anonymous Blogging with Wordpress & Tor - useful step by step guide with software configuration screenshots by Ethan Zuckerman at Global Voices Advocacy. (updated March 10th 2009 with the latest Tor / Vidalia bundle details)

WikiLeakS Links

The WikiLeakS.org Frequently Asked Questions (FAQ) page.

WikiLeakS Twitter feeds

The WikiLeakS.org website does not stay online all of the time, especially when there is a surge of traffic caused by mainstream media coverage of a particularly newsworthy leak.

Recently, they have been using their new Twitter feeds, to selectively publicise leaked documents to the media, and also to report on the status of routing or traffic congestion problems affecting the main website in Stockholm, Sweden.

N.B.the words "security" or "anonymity" and "Twitter" are mutually exclusive:

WikiLeakS.org Twitter feed via SSL encrypted session: https://twitter.com/wikileaks

WikiLeakS.org unencrypted Twitter feed http://twitter.com/wikileaks

Internet Censorship

OpenNet Initiative - researches and measures the extent of actual state level censorship of the internet. Features a blocked web URL checker and censorship map.

Temporary Autonomous Zone

Temporary Autonomous Zones (TAZ) by Hakim Bey (Peter Lambourn Wilson)

Cyberpunk author William Gibson

Campaign Button Links

Watching Them, Watching Us, UK Public CCTV Surveillance Regulation Campaign
UK Public CCTV Surveillance Regulation Campaign

NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card
NO2ID Campaign - cross party opposition to the NuLabour Compulsory Biometric ID Card and National Identity Register centralised database.

Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.
Gary McKinnon is facing extradition to the USA under the controversial Extradition Act 2003, without any prima facie evidence or charges brought against him in a UK court. Try him here in the UK, under UK law.

FreeFarid_150.jpg
FreeFarid.com - Kafkaesque extradition of Farid Hilali under the European Arrest Warrant to Spain

Peaceful resistance to the curtailment of our rights to Free Assembly and Free Speech in the SOCPA Designated Area around Parliament Square and beyond

Parliament Protest blog - resistance to the Designated Area restricting peaceful demonstrations or lobbying in the vicinity of Parliament.

Petition to the European Commission and European Parliament against their vague Data Retention plans
Data Retention is No Solution Petition to the European Commission and European Parliament against their vague Data Retention plans.

Save Parliament: Legislative and Regulatory Reform Bill (and other issues)
Save Parliament - Legislative and Regulatory Reform Bill (and other issues)

Open_Rights_Group.png
Open Rights Group

The Big Opt Out Campaign - opt out of having your NHS Care Record medical records and personal details stored insecurely on a massive national centralised database.

Tor - the onion routing network
Tor - the onion routing network - "Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves."

Tor - the onion routing network
Anonymous Blogging with Wordpress and Tor - useful Guide published by Global Voices Advocacy with step by step software configuration screenshots (updated March 10th 2009).

irrepressible_banner_03.gif
Amnesty International's irrepressible.info campaign

anoniblog_150.png
BlogSafer - wiki with multilingual guides to anonymous blogging

ngoiab_150.png
NGO in a box - Security Edition privacy and security software tools

homeofficewatch_150.jpg
Home Office Watch blog, "a single repository of all the shambolic errors and mistakes made by the British Home Office compiled from Parliamentary Questions, news reports, and tip-offs by the Liberal Democrat Home Affairs team."

rsf_logo_150.gif
Reporters Without Borders - Reporters Sans Frontières - campaign for journalists 'and bloggers' freedom in repressive countries and war zones.

committee_to_protect_bloggers_150.gif
Committee to Protect Bloggers - "devoted to the protection of bloggers worldwide with a focus on highlighting the plight of bloggers threatened and imprisoned by their government."

wikileaks_logo_low.jpg
Wikileaks.org - the controversial "uncensorable, anonymous whistleblowing" website based currently in Sweden.

Syndicate this site (XML):

Recent Comments

  • Anonymous: I worked at the Royal Hobart Hospital in Tasmania for read more
  • wikileak: Jacob Appelbaum's mostly non-technical Keynote Speech, a recording of which read more

December 2014

Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31