[liberationtech] Tumblr's lack of Encryption

Frank Corrigan email at franciscorrigan.com
Mon Sep 20 16:06:55 PDT 2010 

Thanks Danny, I and hopefully others could benefit from the CPJ
resources and efforts you could call upon to prompt Tumblr to provide
HTTPS persistently for all account activity. I take you broader points
about interception, as I said I wanted to at least secure some modicum
of protection during log in/registration and Jen showed how easy
appending an S after http achieved this.

You might want to test out Tumblr to support any contact you make under
your CPJ auspices. 

I was looking into Tumblr as it offers a free domain name mapping
option. Many domain name registrars now offer, some for free, the option
to anonymise WHOIS records and give full and free DNS control. This
gives potential users the chance to create a Tumblr hosted blog under
their own domain name and not have to share any personally identifying
info with Tumblr. There is not much discussion on this topic but better
online anonymity can also be facilitated, when having to pay for domain
names/hosting and alike, by using retail outlet pre-paid visa and master
cards.

On the more common subject of circumvention, I do find ixquick https
enabled proxy service is a good way to access potentially blocked
websites https://ixquick.com/proxy/eng/help.html and some may appreciate
how it is not touted as a circumvention tool or service and currently it
does not or have to retain much usage data.

Thanks
Frank


----- Original message -----
From: "Danny O'Brien" <danny at spesh.com>
To: "Frank Corrigan" <email at franciscorrigan.com>
Cc: liberationtech at lists.stanford.edu
Date: Mon, 20 Sep 2010 15:34:52 -0700
Subject: Re: [liberationtech] Tumblr's lack of Encryption

On Sun, Sep 19, 2010 at 11:32 PM, Frank Corrigan
<email at franciscorrigan.com> wrote:
> I wanted to ask members for any tips on how to approach Tumblr.com, the
> blogging platform, to request that they introduce default ssl/tls
> encryption to at least protect usernames and passwords during logging on
> and or for all user account activities. Like many other platforms Tumblr
> offers useful options such as free mapping of a domain name, but having
> no encryption makes it less attractive.
>

Hi Frank,

Approaching companies to fix these problems is part of my day job; let
me see if I can find someone we can speak to at Tumblr. It's worth
them to make a simple fix like this before someone loses their "low
security" password this way, and it becomes a PR nightmare.

(If others in the human rights community have issues like this, you
can mail me at the Committee to Protect Journalists at
dobrien at cpj.org. I'm based in San Francisco and frequently approach
Internet companies here and elsewhere with technical problems being
faced by journalists working in dangerous conditions, such as those in
fear of surveillance or targetted hacking attacks.)

Incidentally, it's worth noting that SSL logins don't fix all the
potential problems with unauthorised access if someone's net traffic
is being intercepted; I haven't looked at Tumblr, but access to
session cookies sent in plaintext can be enough to hijack a session
too. The difference is between being able to (temporarily) gain
control over one service, and obtaining a copy of a persons' password.
The second is a bigger problem when that password or a variant is used
with other services.

d.

> As a newbie to 'liberationtech' I do hope this is an appropriate post.
>
> My background has been in engaging in rights based activism, mostly on
> migrant and refugee rights. I am less 'visible' these days as a
> consequence of getting my fingers burnt by making open Public interest
> disclosures, after some reflection and time-out I have now gone back to
> more anonymous forms of activism.
>
> My interest in this list flows from the recent attention being given to
> the Haystack Netowrk and specifically the Cultural Bytes blog post:
> http://culturalbytes.com/post/1141832150/internetfreedom  - which just
> happens to be hosted on Tumblr!
>
> One example of past collaborative work:
> http://web.archive.org/web/20070621113414/http://www.asylumsupport.org.uk/
>
> Thanks
> Frank
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>

More information about the liberationtech mailing list