14 DAY TRIAL // Security experts claim the Wall Street Journal (WSJ) SafeHouse, the newspaper's WikiLeaks alternative, does not meet the level of security expected of a whistleblower website.
WSJ SafeHouse's slogan is "securely share information with The Wall Street Journal," but well known computer security expert and hacker Jacob Appelbaum does not agree with that assessment.
Appelbaum, who currently works for University of Washington and is a developer for the TOR Project, told Forbes that despite using HTTPS, which is obviously a must for such a site, WSJ SafeHouse does not enforce HTTP Strict Transport Security (HSTS).
This makes users vulnerable to man-in-the-middle attacks executed with tools like SSLSTRIP, where the attacker intercepts the victim's traffic and introduces insecure elements into it.
Another issue spotted by the security researcher is that SafeHouse's SSL implementation supports multiple forms of encryption, some of which don't ensure perfect forward secrecy (PFC).
PFC is a cryptogtaphic property which ensures that session keys are not compromised if the private key used to derive it is leaked.
Without it, Appelbaum says, anyone who obtains access to the WSJ SafeHouse server, like the authorities or a hacker, could decrypt all previous traffic.
"Pro tip: if you’re going to create a document leaking website – have a clue!" the security researcher said on Twitter referring to WSJ's new project,
Another problem with the website is the fact that the Wall Street Journal doesn't really guarantee the anonymity of sources. In fact, it makes that pretty clear in its Terms of Service which read:
"We reserve the right to disclose any information about you to law enforcement authorities or to a requesting third party, without notice, in order to comply with any applicable laws and/or requests under legal process."
A WSJ spokesperson said the newspaper is committed to protecting sources, but that the terms were redacted in this way in order to provide the flexibility necessary in extraordinary circumstances.