I had dinner with the outgoing editor of The Guardian the other night. Clever chap, sure he’ll go far in life.

The Guardian is very hot on security. Many of their writers have PGP keys which they publicly advertise. In theory, that’s great (complaints about PGP notwithstanding) – but the reality shows just how tricky it is to act in a security conscious manner.

Have a look at Alan’s Twitter profile.

In the bio, we see a link – http://bit.ly/1g4S9WR which points to http://static.guim.co.uk/ni/1393869928289/Public-Key.asc.

Let’s take a look at a few reasons why this is sub-optimal.

Control

Who controls bit.ly? Not Alan. Not the Guardian. How easy would it be for a rogue employee to subtly redirect that URL elsewhere?

Gone are the days of Libya exercising its control on the .ly space (you did know that’s what .ly stood for, right?) But that doesn’t mean you should trust a third party with directing people to sensitive information!

Bit.ly isn’t accessible over HTTPS. A sufficiently determined attacker can see who is accessing the page – and possibly redirect the URL to a different site.

Information Leakage

Most bit.ly links allow you to append a “+” to the URL to see a page of statistics. I’ve written about this several times.

Off we go to http://bit.ly/1g4S9WR+



We can see when a cluster of people have visited the URL and what country they’re in. Is this leaking the identity of a journalistic source? Not directly – but it could help narrow down the target.

Homographic Disambiguation

Bit.ly allows you to create your own custom URLs. Useful for pulling pranks – and extremely useful for redirecting people.

So, if someone hacked the Twitter account and replaced http://bit.ly/1g4S9WR with http://bit.ly/Ig4S9WR – how long would it be before someone noticed? The latter example uses an upper-case i rather than the numeral 1 – and points to my PGP key.

Final Destination

But, let’s assume that no-one has monkeyed with the shortlink. We end up at http://static.guim.co.uk/ni/1393869928289/Public-Key.asc .

What is “guim.co.uk”? I guess it’s a server used by the GUardian to serve IMages – but it doesn’t quite carry the same trust as seeing the public key on TheGuardian.com

guim also suffers from security issues. It’s not served over HTTPS – which means that it’s possible to see who is accessing the page and, crucially, a man-in-the-middle could alter its contents.

Putting it all together

By exploiting one or all of these weaknesses, a malicious attacker could create quite a convincing forgery.

If a random Bit.ly link took you to GUlM.CO.UK (a lower case L) and served you a PGP key for alan@guardian-email.co.uk (not the real address) – would you be convinced that it was a legitimate key for the correct user?

Fixing It

This is a pretty simple fix.

Use a direct link…

…to a trustworth site…

…served over HTTPS…

…

That’s it!

Security is, sadly, too hard for most people. I wrote about how freedom fighters in South Africa were unable to maintain security due to human weaknesses – nothing much has changed in the intervening years.

I’ve shared these tips directly with The Guardian’s security people, and they are in the process of changing to a more robust system.

I’ve been reading “Think Like A Freak” by the authors of Freakonomics. In it, the authors ask us to start thinking more like maverick economists. It’s a fine way to increase your cognative ability and get a fresh perspective on the world.

I’d like to ask you to think like a hacker. Find every weakness in the chain and work to eliminate it.