CPJ, We Have A Problem

The Committee to Protect Journalists published an article yesterday exploring whether Google+ was a viable platform for journalists to interact with sources on sensitive topics.

In a generally positive review that outlines the dangers reporters and their sources face when communicating via digital channels the author writes:

So, how secure is Google+ for at-risk reporters? From Day 1, everything on Google+ is encrypted with https. That means that no one, not even a maliciously motivated government with control of your local ISP, can intercept your private conversations.

Let’s stop, pause, recalibrate and explore what HTTPS is and does.

HTTPS is a protocol that encrypts information shared at the point of contact between a User and the service that User is connecting with. You might know it from your experiences with online banking. That is, go to your bank’s Web site and instead of “http” at the beginning of the address, you”ll see an added “S” to the URL indicating that you’re now in a “secure” environment.

At a very high level, this is how it works: When you attempt to connect with a secure server, an encrypted “handshake” occurs. Basically, you say, “Hello” to the server, the server sends an encrypted message back which you (ie, your browser) then answer, and once the “handshake” is confirmed, the rest of your communications pass back and forth under this layer of encryption.

While secure for most purposes, it’s not fool proof. For example, “man in the middle" attacks can occur whereby an eavesdropping third party intercepts the initial request and fakes — and then controls — communication between the two parties.

Point being, to say, “[N]o one, not even a maliciously motivated government with control of your local ISP, can intercept your private conversations,” simply isn’t the case.

Beyond that, just because the servers are secure doesn’t mean they can’t be hacked or broken into. We need just look back a month to reports that Chinese hackers hacked Google’s Gmail which, yes, is HTTPS protected.

Go back a bit further and recall that a number of companies were hit with Operation Aurora, an attack that — among other things — compromised the Gmail accounts of human rights activists.

"As with most targeted attacks, the intruders gained access to an organization by sending a tailored attack to one or a few targeted individuals," George Kurtz, CTO of McAfee, a technology security firm, explained at the time. "These attacks will look like they come from a trusted source, leading the target to fall for the trap and clicking a link or file… Once the malware is downloaded and installed, it opens a back door that allows the attacker to perform reconnaissance and gain complete control over the compromised system."

So, long story long: HTTPS isn’t a security panacea and we hope the CPJ amends their Google+ review with these considerable caveats.

There are, after all, reporters and activists around the globe that listen very carefully to what they have to say.

Blog comments powered by Disqus