Wikileaks Sidesteps Publishing Public PGP Key

An anonymous reader writes "Repeated requests toward the Wikileaks staff regarding their use of PGP have gone unanswered. The current public PGP key posted has been expired since November 2nd, 2007. A response on their PGP talk page notes that the 'SSL based mail submission system' will be the secure online method of document submission. At the current time, there is no method to safely encrypt any postal communications with Wikileaks or verify that any given communication actually originated from a Wikileaks staff member." Doubtless there are some complicating factors here -- but what is the best way to keep a confidentiality-centric site like Wikileaks trustworthy?

Whoo boy

[iminplaya (723125)]

Generally we recommend against using PGP in its simplest form, since the traffic is easily detected and provides proof of intention to conceal, which depending on the context may pose a significant difficulty. - emph mine

Gut reaction to that statement makes me feel a bit queasy.

Re:Whoo boy

[kestasjk (933987)]

It makes sense, really. Anything you send to WikiLeaks you intend to be told to everyone.

I think what they mean by "provides proof of intention to conceal" is that they don't want people leaking something and then saying "aha! You just told everyone something that I meant to be kept private, I'm going to sue! Why would I have encrypted it if I had meant you to release it?"

And that person would have a point. It's hard to think how someone could post something to WikiLeaks, so that it can be publicly posted, but desire that their information be transmitted encrypted. The assumption should always be anything you send to WikiLeaks is public, and allowing encrypted submissions may make this unclear.
If they need to submit the information anonymously they should do it anonymously, PGP can't help with that.

Re:Whoo boy

[DaffyDuck101 (247015)]

Quite obviously they (the submitters) would like to be able to deny they sent the information in the first place. PGP or not is not going to help a lot with that.

"Proof of intention to conceal" would refer to the fact that when the next scandal at ACME is published, and only one of their faithful employees ever used PGP as evidenced by their router logs, that would constitute enough proof to sue, even without being able to read the actual contents of the mail.

So what the nice folks at wikileaks are saying is that you might as well ditch PGP and use web-based SSL forms so you can just claim you were paying your annual Playboy magazine subscription, or whatever. Or you could send all your mail with PGP and try to convince everybody else to do so as well.

So yes, PGP isn't going to do you much good, but not for the reasons you stated.

Another option

[TheSpengo (1148351)]

Well, since people can't use PGP with their regular email addresses anymore to correspond with wikileaks, what's stopping them from making a dummy gmail account or something? It takes all of a couple seconds and that way you don't even have your regular email address associated with them at all.

Re:

[spottedkangaroo (451692)]

But it's complete BS... You can use PGP to *sign* documents. Encrypting is optional. You can do both. In some implementations you can actually do neither... odd.

Signing a document does not conceal anything.

Re:

[cwebster (100824)]

yes, but when you sign a document you use your private key, not the reciever's public key, which is the issue.

Re:

[spottedkangaroo (451692)]

why should that be an issue?

This is all about the web of trust and authenticating data. Why does it matter that the sender keeps their private key private?

Pretty sure their SSL setup will have a private key too. I suspect they'll have to conceal that too...

Re:

[perlchild (582235)]

The SSL Private key's is WikiLeaks, not the correspondants...

Re:

[cwebster (100824)]

why should that be an issue?

This is all about the web of trust and authenticating data. Why does it matter that the sender keeps their private key private?

because, like you say, its about trust and authentication. The only way that is possible is to sign with a private key and keep it private. If you sign with a private key and then distribute the private key, then anyone can sign the document as that person and you no longer have a signature that is meaningful.

Re:

[spottedkangaroo (451692)]

That's silly, you don't have to distribute the private key, that's the whole point.

Take the wikileak's SSL key. How do you know that's their private key and it's not a MiM attack? You know that because verisign (or someone) signed the public key. They did that with a private key -- and wikileak doesn't have it!! Oh nos!!!

There's always a private key you don't have. That's the whole point of asymetric cryptography. PGP is no different.

So this argument is all very silly.

Re:Whoo boy

[ceejayoz (567949)]

I think you're misunderstanding them.

I read it as "the Chinese or other totalitarian governments might punish you solely for using PGP".

Re:

[RKBA (622932)]

... the traffic is easily detected and provides proof of intention to conceal, which depending on the context may pose a significant difficulty.

All the more reason why EVERYONE should use PGP or some variant thereof ALL THE TIME for ALL email, even if you're only encrypting your favorite cookie receipt.

I wish the world would use GPG more

[CRCulver (715279)]

A decade ago, every geek had a PGP key, keysigning parties were a great way to spend a Friday night, and everyone was raving about Schneier's eggheaded but useful tome Applied Cryptography [amazon.com] . Now when I ask otherwise normal geeks if they have a PGP key, they just look at me like I'm from Mars. I don't understand, PGP has gotten only easier to use, there's a great Firefox extension for it, but it has faded in popularity.

Re:

[by Anonymous Coward]

There is the problem of webmail.

I know there are extensions to firefox to get s/mime support, PGP and a few other (proprietary) methods of encrypting emails, but you don't always have ontrol over the browser you're using.

I'd love to use encryption on my email, but if I can't read it, there's no point.

Re:I wish the world would use GPG more

[RKBA (622932)]

You don't need any special web client, browser plug-in, or anything else to use PGP. Although I do sometimes use a GnuPgp extension to Thunderbird, I mostly just use the older versions of PGP that let you encrypt/decrypt, sign/verify, etc., either the contents of the clipboard or a text file. I then simply copy/paste the encrypted/signed message text file into the email I'm sending. The encryption/decryption can be totally separate from the email client.

Re:

[kestasjk (933987)]

Not easy enough though; why isn't it automatic? Why isn't it just a basic part of e-mail by now? How can Flash and JavaScript in e-mail be supported but not encryption?

Re:I wish the world would use GPG more

[by Anonymous Coward]

why isn't it automatic?

Because the most bothersome part of all cryptographic systems is also the most important part: key management. Both trust architectures, web of trust and hierarchic trust, require that trust relations are established by verifying keys/certificates. Hierarchic trust centralizes the verification. The certificate authorities do all the work, so they want compensation. The web of trust distributes the work among its participants. Consequently it's usually free, but you have to do work. That's why it's not automatic.

Re:

[by Anonymous Coward]

There was a time that I used PGP/GnuPG for all my e-mails. But at some point I realized that this only gave me the impression that I had real privacy. Most of the recipients run Windows and they open those e-mails and files on their insecure machines.
Also, what has changed is that nowadays the reason I want more privacy is because of the government and not because of regular people/crooks. And there are various ways in which the government could still read my files even when I use encryption, both by checki

Re:

[pwizard2 (920421)]

If I'm ever downright paranoid about keeping something really important secure, I prepare several GPG keys (4096 bit) and encrypt the data, and then encrypt the encrypted text, again and again. I then keep the different keys in different places, so to read my message someone would have to acquire multiple private keys and passwords.

Re:

[RiotingPacifist (1228016)]

Assuming that it the encryption cant be broken. He is just setting up the plot to a geek movie, where the hero has to go round and find 4 keys before the bad guy, only to be deceived at the last moment by an advert to wipe his computer! Ofc he realises this and switches the order of the keys and the bad guy gets hit by a stenographic virus.

Re:

[Beetle B. (516615)]

Also, what has changed is that nowadays the reason I want more privacy is because of the government and not because of regular people/crooks. And there are various ways in which the government could still read my files even when I use encryption, both by checking my screen and what I type.

That's the same as saying, "Why lock my door? The lock can be picked anyway."

And some would say it's the same as, "Why try to hide any secrets? They've probably figured out how to read my mind anyway."

Re:

[shutdown -p now (807394)]

It's because of proliferation of Web mail, and, for geeks in particular, GMail.

Re:

[fuego451 (958976)]

"there's a great Firefox extension for it"

I've used gpg for Icedove and I considered it for Iceweasel but I'll be damned if I will 'register' with mozilla.org, now required, just to download it. When did they start that crap?

Re:maybe if gmail supported it....

[AnyoneEB (574727)]

Here you go. [getfiregpg.org]

Re:

[RiotingPacifist (1228016)]

Nothing, the same way that PGP cant protect you from a trojan used to read your mail.
But if you want: open the mail, go offline, then decrypt the email, read it, close it, clear your cookies, then go back online.

the point of encrypted emails was never to protect you from your email reader, it was to protect it from between sender & receiver

gmail won't support it.

[Dr_Barnowl (709838)]

The gmail revenue stream depends on targeted advertising, which means they need to have a daemon read your mail. If they supported encryption as standard, they'd be cutting off some not-insignificant portion of that revenue ; regardless of how much they'd like to support the feature, their responsibilities are to their shareholders ; unless they can find a way of making equivalent or greater revenue from encrypted mail, they can't field it as a feature.

I can't envisage an encrypted mail service that has an externalized revenue source, so the only way to fund it is by the customer paying. Which then begs the question, who do you trust enough to pay them to keep your secrets safe? In my case, I no secrets worth keeping, but if I did, I wouldn't trust anyone else to keep them for me.

Open-source, peer-reviewed encryption, under my own control, is the only technique I would trust to keep digital secrets transmitted across a wire.

The best kept secrets are of course the ones you keep solely in your own head.

Re:

[Aladrin (926209)]

That makes no sense. Webmail doesn't -work- if they can't decrypt the mail. During that decryption is when they'd choose the targeted ads.

This has absolutely nothing to do with targeted ads and everything to do with the encryption itself. Webmail -can't work- with encryption since you'd have to give your private key to the webmail. That would completely invalidate the encryption automatically.

No, this isn't a capitalist conspiracy. It's just logic at work.

Re:

[Beryllium Sphere(tm) (193358)]

Google encrypted email:
http://www.google.com/a/help/intl/en/security/message.html#utm_campaign=en&utm_source=en-ha-na-us-content&utm_medium=ha [google.com]

searchability without resorting to completely plaintext [slashdot.org], though admittedly that doesn't have the privacy properties a whistleblower needs.

Wonder why Wikileaks doesn't get a Hushmail acount.

>Open-source, peer-reviewed encryption, under my own control, is the only technique I would trust to keep digital secrets transmitted across a wire.

Your reasoning is soun

Re:

[Beryllium Sphere(tm) (193358)]

Gahh, screwed up the second link, sorry. https://mice.cs.columbia.edu/getTechreport.php?techreportID=483 [columbia.edu] (PDF).

Re:

[dissy (172727)]

The gmail revenue stream depends on targeted advertising, which means they need to have a daemon read your mail.

http://getfiregpg.org/ [getfiregpg.org]

This is a firefox plugin that adds pgp support to firefox, and integrates fully with gmail.
Adds encrypt decrypt and sign buttons down by the send and save buttons.

Re:

[ettlz (639203)]

So enable IMAP and SMTP support in Google Mail and use a PGP-equipped client.

There isn't

[binaryspiral (784263)]

Doubtless there are some complicating factors here -- but what is the best way to keep a confidentiality-centric site like Wikileaks trustworthy?

Unfortunately, there isn't - information is only as trustworthy as the source.

The issue is more than encrypting and signing

[Kevinv (21462)]

Once documents have been leaked, organizations know they can't put the cat back in the bag but they want to close the bag to prevent further escapes. Sure they sue but they sue to get the names of submitters (i.e. Apple vs. Think Secret, or Craig what's his name at Microsoft threatening to find the leaker of the Halloween documents via secret Exchange magic)

Wikileaks appears to want to provide a way for submitters to deny they even submitted anything to Wikileaks. Sending an e-mail to wikileaks with the contents encrypted is a clear indication that you're sending something to them. By the time the leaks are made public all they want to do is find the person, searching for something that sent pgp encrypted mail, even without being able to decrypt the actual contents, is going to be good enough for them.

An ssl page, especially if wikileaks sets up some sort of drop system with other domains so you aren't obviously submitting to wikileaks, is much harder to track because people use ssl pages all over the internet all the time. If PGP were used more frequently then they could probably use that with a drop system as well, but it's just too rarely used.

Re:The issue is more than encrypting and signing

[syzler (748241)]

An ssl page, especially if wikileaks sets up some sort of drop system with other domains so you aren't obviously submitting to wikileaks, is much harder to track because people use ssl pages all over the internet all the time.

Why would you submit something to Wikileaks from your organization's network or through your organization's mail servers? I would think that act alone would scream, "Fire me," at the top of its figurative lungs to your soon to be ex-employers.

Re:

[BorgCopyeditor (590345)]

Because it's the only way to get the info out the door?

Re:The issue is more than encrypting and signing

[syzler (748241)]

If an organization has security so tight that an individual is unable to carry a medium such as a sheet of paper, a thumb drive, digital camera, mp3 player, or cell phone off the premise, I seriously doubt the organization would allow the individual unrestricted access to the public Internet from within the organization's network.

I beg to differ

[IBitOBear (410965)]

I can neither confirm nor deny that I have sat in a classified lab with info controls that has a non-trivil number of points of access to the unrestricted internet. The labs may or may not have restricted the movement of cell phones, thumb drives, CD ROMS, etc.

When push comes to shove, "the individual persons" are both the weakest and most important of a security plan. Plans based on having "no bad actors" inside the security ring is important and everyday useful.

One of the major reasons to restrict the a

Re:

[Kevinv (21462)]

Why would this have to go through the company's servers? Organizations with leaks, hell the RIAA does it all the time, has been known to ask for ISP's logs and ISPs are pretty willing to roll over for just about anyone.

DNS logs, e-mail logs, etc.... then back track the trail looking for a server that keeps copies of e-mail as it passes through (how many ISP's now require you use their SMTP server instead being able to send your own e-mail straight to another server?) or starts keeping copies of your mail w

Re:

[beeblebrox (16781)]

An ssl page, especially if wikileaks sets up some sort of drop system with other domains so you aren't obviously submitting to wikileaks, is much harder to track because people use ssl pages all over the internet all the time.

The problem with SSL, as implemented in browsers, is that there is a crapload of root certification authorities that are blindly trusted by default. On my Firefox browser for example I can see:

- AOL
OK, I might trust them for something like an online forum login page, but not for online banking.

- TurkTrust
Seems to be a Turkish quasi-government entity related to international trade. Since I'm not trading with any Turkish entities right now, this one went bye bye from the list.

- GoDaddy: Holy Fucking Shite

Re:

[Shadow-isoHunt (1014539)]

Here's the thing though, while PGP sort of lets the cat out of the bag that you're hiding something, the same thing happens over an SSL page on wikileaks IP, it doesn't give you any protection because instead of just searching for "PGP" in packet logs(if they're being kept), you're searching for 88.80.13.160 or "wikileaks"(which would come up in a DNS request). The only real solution is transmitting the materials over an anonymous link(such as wifi across town). If I was leaking something, I wouldn't even u

Reading between the lines

[by Anonymous Coward]

hmm.. no encryption and no answers. I smell an FBI national security letter and gag order.

Re:Reading between the lines

[number11 (129686)]

no encryption and no answers. I smell an FBI national security letter and gag order.

And why should wikileaks care about that? The domain is registered to an address in Kenya, and the web server appears to be in Sweden.

Re:

[noz (253073)]

hmm.. no encryption and no answers. I smell an FBI national security letter and gag order.

They should have leaked them to Wikileaks. Wait...

there isn't

[kris.montpetit (1265946)]

Doubtless there are some complicating factors here -- but what is the best way to keep a confidentiality-centric site like Wikileaks trustworthy?

There isn't. By verifying that anyone is anyone the cover is blown. Regardless the best use of it is still to post anonymously and link as many people as humanly possible. Then even if your cover is blown, the message still gets out. If you're a whistleblower, this is something you should have accepted long before you blew the whistle

Tomorrow's headlines:

[Cctoide (923843)]

- Wikileaks Changes Headings to Times New Roman
- Wikileaks Director Recommends Ivory Soap
- Wikileaks to Sponsor Next Super Bowl
- Wikileaks leaks Wikileaks' Wikileaks leaks
- Wikileaks wikileaks wikileaks, Wikileaks wikileaks

Anonymous Remailers

[LM741N (258038)]

But thats so early 90's. Still might be useful, although I don't think there any left that will anonymously send the recipient plain text.

Re:

[perlchild (582235)]

The private key you mean?
If you mean the public key, that proves nothing, if you mean the private key, anyone who uses it in the future can attribute documents to you. I know 3am PBS isn't popular, but I still wouldn't broadcast it.

Re:What happened on November 2nd, 2007?

[fintler (140604)]

Expiration of PGP keys is a feature and does not prevent the key from being used in the future (although it should not be considered secure if used after the expiration date). The purpose is to prevent the impact of a compromised key by limiting its validity period.

Expiry can also be useful in the event that a private key is lost. Revocation of a public key requires access to the private keys.

Re:Secure proof of sending, reading

[WuphonsReach (684551)]

I'm in a situation where I need to *prove* that someone has opened/read an email. I know there are paid "registered email" services, but they seem a bit overkill to me. And return receipts are jokes, since they aren't widely supported.

The short answer is "don't try to make SMTP do something that it wasn't designed to do".

The long answer - send people unique links to a web server that you control.

Re:

[SpaceLifeForm (228190)]

Well, you could setup a system with sftp, one-time login/password to access the document in question, log when the document was accessed, but even so, access does not prove that it was read.