[liberationtech] Tumblr's lack of Encryption

Danny O'Brien danny at spesh.com
Mon Sep 20 17:45:53 PDT 2010 

On Mon, Sep 20, 2010 at 4:06 PM, Frank Corrigan
<email at franciscorrigan.com> wrote:
> Thanks Danny, I and hopefully others could benefit from the CPJ
> resources and efforts you could call upon to prompt Tumblr to provide
> HTTPS persistently for all account activity. I take you broader points
> about interception, as I said I wanted to at least secure some modicum
> of protection during log in/registration and Jen showed how easy
> appending an S after http achieved this.
>
> You might want to test out Tumblr to support any contact you make under
> your CPJ auspices.
>

Yep, I kicked up Wireshark and pulled out my login password in
plaintext when logging on.

As ever, I'd say that it's difficult to calibrate exactly what the
practical risks here are, except to note that a) they're much higher
for independent media and activists in dangerous conditions where the
attackers have access to traffic, b) they're lowered very quickly by
some (potentially) simple fixes on the company side, and c) those
fixes probably have a wider security benefit for the main audience for
a general purpose site like Tumblr.

I figure it's a good use of time to do this kind of advocacy, not
because there's some clear and present danger from imminent
Tumblr-0wnage, but because every popular site that makes this mistake
and then fixes it is an illustration (either public or in the circles
that coders socialise within) that such obvious gaps *are* easy and
correct to fix. And if they can't or won't fix it, then those
technical and social counter-arguments will keep on recurring and may
highlight some deeper security issue that needs to be addressed by the
community at large.

A good example of this is the current push to get sites to offer SSL
as an available alternative or a default setting (you mentioned
https-anywhere which is one of the initiatives to try and address
this). Many people have been advocating wider deployment of SSL for
standard services for some time, but it took Google actually switching
Gmail to SSL by default, offering SSL-secured search and *also*
publicly discussing how they did this without increasing CPU load,
unacceptable speed drops, and so on, to really make the theoretical
argument more palatable for other companies.

Also, it's good to meet with and encourage growing companies like
Tumblr to think about the ramifications of their actions among
speakers at risk, because if they keep growing, at some point they
*will* be faced with an unexpected free speech/human rights issue, and
they'll need to make some crucial decisions very quickly -- and making
those decisions correctly I think will be helped by having contacts in
a community that deal with these challenges on a daily basis.

d.

> I was looking into Tumblr as it offers a free domain name mapping
> option. Many domain name registrars now offer, some for free, the option
> to anonymise WHOIS records and give full and free DNS control. This
> gives potential users the chance to create a Tumblr hosted blog under
> their own domain name and not have to share any personally identifying
> info with Tumblr. There is not much discussion on this topic but better
> online anonymity can also be facilitated, when having to pay for domain
> names/hosting and alike, by using retail outlet pre-paid visa and master
> cards.
>
> On the more common subject of circumvention, I do find ixquick https
> enabled proxy service is a good way to access potentially blocked
> websites https://ixquick.com/proxy/eng/help.html and some may appreciate
> how it is not touted as a circumvention tool or service and currently it
> does not or have to retain much usage data.
>
> Thanks
> Frank
>
>
> ----- Original message -----
> From: "Danny O'Brien" <danny at spesh.com>
> To: "Frank Corrigan" <email at franciscorrigan.com>
> Cc: liberationtech at lists.stanford.edu
> Date: Mon, 20 Sep 2010 15:34:52 -0700
> Subject: Re: [liberationtech] Tumblr's lack of Encryption
>
> On Sun, Sep 19, 2010 at 11:32 PM, Frank Corrigan
> <email at franciscorrigan.com> wrote:
>> I wanted to ask members for any tips on how to approach Tumblr.com, the
>> blogging platform, to request that they introduce default ssl/tls
>> encryption to at least protect usernames and passwords during logging on
>> and or for all user account activities. Like many other platforms Tumblr
>> offers useful options such as free mapping of a domain name, but having
>> no encryption makes it less attractive.
>>
>
> Hi Frank,
>
> Approaching companies to fix these problems is part of my day job; let
> me see if I can find someone we can speak to at Tumblr. It's worth
> them to make a simple fix like this before someone loses their "low
> security" password this way, and it becomes a PR nightmare.
>
> (If others in the human rights community have issues like this, you
> can mail me at the Committee to Protect Journalists at
> dobrien at cpj.org. I'm based in San Francisco and frequently approach
> Internet companies here and elsewhere with technical problems being
> faced by journalists working in dangerous conditions, such as those in
> fear of surveillance or targetted hacking attacks.)
>
> Incidentally, it's worth noting that SSL logins don't fix all the
> potential problems with unauthorised access if someone's net traffic
> is being intercepted; I haven't looked at Tumblr, but access to
> session cookies sent in plaintext can be enough to hijack a session
> too. The difference is between being able to (temporarily) gain
> control over one service, and obtaining a copy of a persons' password.
> The second is a bigger problem when that password or a variant is used
> with other services.
>
> d.
>
>> As a newbie to 'liberationtech' I do hope this is an appropriate post.
>>
>> My background has been in engaging in rights based activism, mostly on
>> migrant and refugee rights. I am less 'visible' these days as a
>> consequence of getting my fingers burnt by making open Public interest
>> disclosures, after some reflection and time-out I have now gone back to
>> more anonymous forms of activism.
>>
>> My interest in this list flows from the recent attention being given to
>> the Haystack Netowrk and specifically the Cultural Bytes blog post:
>> http://culturalbytes.com/post/1141832150/internetfreedom  - which just
>> happens to be hosted on Tumblr!
>>
>> One example of past collaborative work:
>> http://web.archive.org/web/20070621113414/http://www.asylumsupport.org.uk/
>>
>> Thanks
>> Frank
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>>
>> Should you need to change your subscription options, please go to:
>>
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>
>
>

More information about the liberationtech mailing list