I’m no prolific user by any means, but occasionally I do try and check my Twitter feed; it can throw up some interesting things occasionally. Of particular interest to me was this tweet from Runa Sandvik, a privacy and security researcher and Director of Newsroom Information Security at the New York Times, that I came across at some point last week whilst at work:
— Runa Sandvik (@runasand) August 23, 2016
This got me fascinated – you can PGP sign your website AND deliver it via https?! Of course the first thing I did was to check it out and, sure enough, the website source code is PGP signed as claimed:
Admittedly yes, they key has both expired and been revoked but the signature is still good. Bearing the warnings in mind if I were a real whistleblower then I’d probably not want to use the site in case the key was revoked because it was compromised (here the comments indicate otherwise but one can never be too careful) and as such, someone could be impersonating ProPublica. Remember that https, even with a valid certificate, only ensures that you’re connecting to the web server or web proxy server that’s serving you content securely – it does NOT verify that the organisation behind the server is who they’re claiming to be, hence why PGP is useful in this context.
You may be wondering how exactly it is that they’re achieving this without breaking HTML. If you actually look at the source it’s all done within sections of code that have been commented-out:
So everything after the first comment tag opening to the last comment tag opening is the signed message part. Cool, huh? This is the first time I’ve seen this kind of thing, so what are the merits and demerits of this approach?
- Verifies the organisation/identity behind the web server in a way that normal HTTPS can’t.
- Guarantees the authenticity of the ‘.onion’ Tor address for their secure site.
- No way to sign any server-side interpreted code such as PHP or Perl, only it’s raw HTML output.
- <!DOCTYPE> and both the initial and final <html> tags are outside the signature source