It’s recently become fashionable for news organizations to build “anonymous tip” sites that permit members of the public to confidentially submit tips about stories of public interest.
Unfortunately, would-be tipsters need to take great care when exploring such options, because many organizations aren’t using HTTPS properly to ensure that the user’s traffic to the news site is protected from snoopers on the network.
If the organization uses any non-secure redirections in loading its “Tips” page, or the page pulls any unique images or other content over a non-secure connection, the fact that you’ve visited the “Tips” page will be plainly visible to your ISP, employer, fellow coffee shop patron, home-router-pwning group, etc.
Here are a few best practices for organizations that either a) anonymous tips online or b) use webpages to tell would-be leakers how to send anonymous tips via Tor or non-electronic means:
- Use HTTPS for all resources
- Enable HTTP Strict Transport Security with preload for all domains
- Enable Content-Security-Policy with Upgrade-Insecure-Requests and block-all-mixed-content
- Ensure that you collect tips from the same domain that users use to read articles (avoid hostname giveaways like https://tips.example.com because HTTPS doesn’t keep hostnames private)
- Avoid redirectors and clicktrackers
- Scour your pages for non-secure links
For end users:
- Consider using Tor or other privacy-aiding software.
- Don’t use a work PC or any PC that may have spyware or non-public certificate roots installed.
Stay private out there!
-Eric
text/plain 