I’m no prolific user by any means, but occasionally I do try and check my Twitter feed; it can throw up some interesting things occasionally. Of particular interest to me was this tweet from Runa Sandvik, a privacy and security researcher and Director of Newsroom Information Security at the New York Times, that I came across at some point last week whilst at work:

 


This got me fascinated – you can PGP sign your website AND deliver it via https?! Of course the first thing I did was to check it out and, sure enough, the website source code is PGP signed as claimed:pgp-website-notice

gpg --verify

 

Admittedly yes, they key has both expired and been revoked but the signature is still good. Bearing the warnings in mind if I were a real whistleblower then I’d probably not want to use the site in case the key was revoked because it was compromised (here the comments indicate otherwise but one can never be too careful) and as such, someone could be impersonating ProPublica. Remember that https, even with a valid certificate, only ensures that you’re connecting to the web server or web proxy server that’s serving you content securely – it does NOT verify that the organisation behind the server is who they’re claiming to be, hence why PGP is useful in this context.

You may be wondering how exactly it is that they’re achieving this without breaking HTML. If you actually look at the source it’s all done within sections of code that have been commented-out:

comments header

comments footer

So everything after the first comment tag opening to the last comment tag opening is the signed message part. Cool, huh? This is the first time I’ve seen this kind of thing, so what are the merits and demerits of this approach?

Merits

  • Verifies the organisation/identity behind the web server in a way that normal HTTPS can’t.
  • Guarantees the authenticity of the ‘.onion’ Tor address for their secure site.

Demerits

  • No way to sign any server-side interpreted code such as PHP or Perl, only it’s raw HTML output.
  • <!DOCTYPE> and both the initial and final <html> tags are outside the signature source

 

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>