OpenLeaks doesn't know how SSL works

Do you have a question? Post it now! No Registration Necessary.  Now with pictures! -

 OpenLeaks is a planned platform like WikiLeaks, founded by ex-Wikileaks
member Daniel Domscheit-Berg. It's been announced a while back and a beta
is currently presented in cooperation with the newspaper taz during the
Chaos Communication Camp (where I am right now).

 I had a short look and found some things noteworthy:
The page is SSL-only, any connection attempt with http will be forwarded
to https. When I opened the page in firefox, I got a message that the
certificate is not valid. That's obviously bad, although most people
probably won't see this message.

 What is wrong here is that an intermediate certificate is missing - we
have a so-called transvalid certificate (the term "transvalid" has been
used for it by the EFF SSL Observatory project). Firefox includes the root
certificate from Go Daddy, but the certificate is signed by another
certificate which itself is signed by the root certificate. To make this
work, one has to ship the so-called intermediate certificate when opening
an SSL connection.

 The reason why most people won't see this warning and why it probably
went unnoticed is that browsers remember intermediate certificates. If
someone ever was on a webpage which uses the Go Daddy intermediate
certificate, he won't see this warning. I saw it because I usually don't
use Firefox and it had a rather fresh configuration.

 There was another thing that bothered me: On top of the page, there's a
line "Before submitting anything verify that the fingerprints of the SSL
certificate match!" followed by a SHA-1 certificate fingerprint. Beside
the fact that it's english on a german page, this is a rather ridiculous
suggestion. Checking a fingerprint of an SSL connection against one you
got through exactly that SSL connection is bogus. Checking a certificate
fingerprint doesn't make any sense if you got it through a connection that
was secured with that certificate. If checking a fingerprint should make
sense, it has to come through a different channel. Beside that, nowhere is
explained how a user should do that and what a fingerprint is at all. I
doubt that this is of any help for the targetted audience by a
whistleblower platform - it will probably only confuse people.

 Both issues give me the impression that the people who designed OpenLeaks
don't really know how SSL works - and that's not a good sign.

Bear Bottoms, security consultant

Site Timeline