Yesterday, I blogged about a company, LastPass, that takes security seriously and has well thought out procedures in place to protect its users. LastPass is a small company run by relatively young people who have perhaps a decade’s experience in software development and running companies.
What are we to think, then, of a large international company that is almost 140 years old, with very deep pockets, and run by people with decades of experience that nevertheless can not manage to deploy a Web site in a way that will protect their users? The Wall Street Journal has announced that they are starting their very own Wikileaks called WSJ SafeHouse.
It’s an idea with some merit. Properly implemented, it would give whistle blowers a safe way to inform the public of things they believe the public should know while at the same time ensuring that the information is evaluated and vetted by experienced editors. The problems started appearing as soon as people looked at their Terms of Use. The WSJ offers three options for submitting data but does not guarantee anonymity for any of them. Right there you’ve lost any whistle blower with even a minimal survival instinct.
But it gets worse. The Terms of Use goes on to say that you warrant that you have the legal right to upload the data and that it will not violate any law or the rights of any person. In other words, whistle blowers need not apply. This is so ridiculous that it could only have been dreamed up by lawyers. It doesn’t matter, though, because no one is going to seriously consider using the site.
You may roll your eyes and think, “Well yes, but this is just the usual lawyer-babble that the WSJ has to put there to protect themselves. We all know that they will go to the wall to protect their sources.” Indeed, after the laughter started, the WSJ put out a statement saying they are committed to protecting their sources to the fullest extent possible under the law. Again, what whistle blower in his or her their right mind is going to have anything to do with these people?
It turns out, though, that the lawyers aren’t the only ones without a clue. The security community took a look at the site and reported several problems with its security. In the first place, their handoff from the unencrypted http://www.wsjsafehouse.com to the encrypted https://www.wsjsafehouse.com fails to use Strict Transport Security and therefore renders the user susceptible to a man-in-the-middle attack that strips out the SSL protection. Even worse, the site’s SSL server supports several cipher suites without perfect forward secrecy so any successful attack on the server could immediately render all previous traffic using one of those suites vulnerable to decryption.
The previously mentioned statement from the WSJ says that many of the security problems have already been fixed and promises to address the others shortly. Unfortunately, whatever credibility WSJ SafeHouse had as a secure place for whistle blowers has already been squandered and will be hard, if not impossible, to get back.