Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wikileaks Sidesteps Publishing Public PGP Key

Posted by timothy on from the these-things-take-time dept.

An anonymous reader writes "Repeated requests toward the Wikileaks staff regarding their use of PGP have gone unanswered. The current public PGP key posted has been expired since November 2nd, 2007. A response on their PGP talk page notes that the 'SSL based mail submission system' will be the secure online method of document submission. At the current time, there is no method to safely encrypt any postal communications with Wikileaks or verify that any given communication actually originated from a Wikileaks staff member." Doubtless there are some complicating factors here -- but what is the best way to keep a confidentiality-centric site like Wikileaks trustworthy?

5 of 96 comments (clear)

  1. I wish the world would use GPG more by CRCulver · · Score: 5, Insightful

    A decade ago, every geek had a PGP key, keysigning parties were a great way to spend a Friday night, and everyone was raving about Schneier's eggheaded but useful tome Applied Cryptography . Now when I ask otherwise normal geeks if they have a PGP key, they just look at me like I'm from Mars. I don't understand, PGP has gotten only easier to use, there's a great Firefox extension for it, but it has faded in popularity.

  2. The issue is more than encrypting and signing by Kevinv · · Score: 5, Insightful

    Once documents have been leaked, organizations know they can't put the cat back in the bag but they want to close the bag to prevent further escapes. Sure they sue but they sue to get the names of submitters (i.e. Apple vs. Think Secret, or Craig what's his name at Microsoft threatening to find the leaker of the Halloween documents via secret Exchange magic)

    Wikileaks appears to want to provide a way for submitters to deny they even submitted anything to Wikileaks. Sending an e-mail to wikileaks with the contents encrypted is a clear indication that you're sending something to them. By the time the leaks are made public all they want to do is find the person, searching for something that sent pgp encrypted mail, even without being able to decrypt the actual contents, is going to be good enough for them.

    An ssl page, especially if wikileaks sets up some sort of drop system with other domains so you aren't obviously submitting to wikileaks, is much harder to track because people use ssl pages all over the internet all the time. If PGP were used more frequently then they could probably use that with a drop system as well, but it's just too rarely used.

  3. Re:Whoo boy by kestasjk · · Score: 5, Insightful

    It makes sense, really. Anything you send to WikiLeaks you intend to be told to everyone.

    I think what they mean by "provides proof of intention to conceal" is that they don't want people leaking something and then saying "aha! You just told everyone something that I meant to be kept private, I'm going to sue! Why would I have encrypted it if I had meant you to release it?"

    And that person would have a point. It's hard to think how someone could post something to WikiLeaks, so that it can be publicly posted, but desire that their information be transmitted encrypted. The assumption should always be anything you send to WikiLeaks is public, and allowing encrypted submissions may make this unclear.
    If they need to submit the information anonymously they should do it anonymously, PGP can't help with that.

    --
    // MD_Update(&m,buf,j);
  4. Re:Whoo boy by DaffyDuck101 · · Score: 5, Insightful
    Quite obviously they (the submitters) would like to be able to deny they sent the information in the first place. PGP or not is not going to help a lot with that.

    "Proof of intention to conceal" would refer to the fact that when the next scandal at ACME is published, and only one of their faithful employees ever used PGP as evidenced by their router logs, that would constitute enough proof to sue, even without being able to read the actual contents of the mail.

    So what the nice folks at wikileaks are saying is that you might as well ditch PGP and use web-based SSL forms so you can just claim you were paying your annual Playboy magazine subscription, or whatever. Or you could send all your mail with PGP and try to convince everybody else to do so as well.

    So yes, PGP isn't going to do you much good, but not for the reasons you stated.

  5. Re:What happened on November 2nd, 2007? by fintler · · Score: 5, Informative

    Expiration of PGP keys is a feature and does not prevent the key from being used in the future (although it should not be considered secure if used after the expiration date). The purpose is to prevent the impact of a compromised key by limiting its validity period.

    Expiry can also be useful in the event that a private key is lost. Revocation of a public key requires access to the private keys.