SafeHouse: WSJ WikiLeaks Rival Has Weak Security

by Jordan Yerman | May 6, 2011 at 10:25 am

97 views | 0 Recommendations | 0 comments

WSJ's SafeHouse Blasted for Poor Security

If you are a would-be whistleblower who is considering sharing secrets, stay away from SafeHouse for the time being. The Wall Street Journal launched SafeHouse as a would-be rival to WikiLeaks, but the implementation leaves much to be desired.

Jacob Appelbaum of the TOR Project dismissed SafeHouse's launch as negligent: an insecure leak site only chills the impetus to share secrets. To begin with, SafeHouse doesn't work with TOR, an anonymity network designed to prevent others from snooping on your internet activity. This lack of compatibility is, for lack of a better word, silly.

Another issue, insecure redirects away from https (which makes it all too easy for a hacker to get between you and the next secure pageload), seems to be getting fixed, though it's a mystery why such a glaring flaw would be present on a live site in the first place. Also, SafeHouse should look into getting an SSL certificate, which they don't currently have.

Also, SafeHouse is Flash-dependent. Flash may be relatively easy to implement, but it's also relatively easy to exploit. Basically, SafeHouse was pushed live when it wasn't even ready for beta testing.

Then there's the Terms of Service, which do not guarantee anonymity to sources. Why, precisely, would you want to leak something to a site which will not guarantee anonymity?

Then we must deal with the question of credibility. WSJ is owned by Rupert Murdoch's News Corp. Not exactly outside the system, is it?