[liberationtech] Tumblr's lack of Encryption
Danny O'Brien
danny at spesh.com
Mon Sep 20 15:34:52 PDT 2010
On Sun, Sep 19, 2010 at 11:32 PM, Frank Corrigan
<email at franciscorrigan.com> wrote:
> I wanted to ask members for any tips on how to approach Tumblr.com, the
> blogging platform, to request that they introduce default ssl/tls
> encryption to at least protect usernames and passwords during logging on
> and or for all user account activities. Like many other platforms Tumblr
> offers useful options such as free mapping of a domain name, but having
> no encryption makes it less attractive.
>
Hi Frank,
Approaching companies to fix these problems is part of my day job; let
me see if I can find someone we can speak to at Tumblr. It's worth
them to make a simple fix like this before someone loses their "low
security" password this way, and it becomes a PR nightmare.
(If others in the human rights community have issues like this, you
can mail me at the Committee to Protect Journalists at
dobrien at cpj.org. I'm based in San Francisco and frequently approach
Internet companies here and elsewhere with technical problems being
faced by journalists working in dangerous conditions, such as those in
fear of surveillance or targetted hacking attacks.)
Incidentally, it's worth noting that SSL logins don't fix all the
potential problems with unauthorised access if someone's net traffic
is being intercepted; I haven't looked at Tumblr, but access to
session cookies sent in plaintext can be enough to hijack a session
too. The difference is between being able to (temporarily) gain
control over one service, and obtaining a copy of a persons' password.
The second is a bigger problem when that password or a variant is used
with other services.
d.
> As a newbie to 'liberationtech' I do hope this is an appropriate post.
>
> My background has been in engaging in rights based activism, mostly on
> migrant and refugee rights. I am less 'visible' these days as a
> consequence of getting my fingers burnt by making open Public interest
> disclosures, after some reflection and time-out I have now gone back to
> more anonymous forms of activism.
>
> My interest in this list flows from the recent attention being given to
> the Haystack Netowrk and specifically the Cultural Bytes blog post:
> http://culturalbytes.com/post/1141832150/internetfreedom - which just
> happens to be hosted on Tumblr!
>
> One example of past collaborative work:
> http://web.archive.org/web/20070621113414/http://www.asylumsupport.org.uk/
>
> Thanks
> Frank
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
More information about the liberationtech
mailing list