Don’t get me wrong, I am totally in favour of more and more leak sites. So, I started to examine Tradeleaks a little closer, and tech-wise it strikes me that it lacks basic security.
If you enlarge the picture above you will soon see that there is no HTTPS connectivity. For an average user, this poses a threat of someone listening into the traffic. Basically, you will end up sending the leak in plaintext to the server. Even if you use a proxy, which is recommended, you will still end up with half your route being vulnerable. End-to-end encryption is the only solution for a serious leak site.
Moreover, it states:
TradeLeaks stores the IP addresses of sources who post on the TradeLeaks website. As such, we encourage all sources to ensure they use anonymous proxies before posting to our website. More information about anonymous proxies can be found here: Anonymous proxy (Wikipedia)
Why store log files? For any website, sure, you want statistics and maybe you want to sell the information to a third party. But a leak-site? No way. Logs should never be made, or sent directly to /dev/null. Any authority getting their hands on those machines can easily read the logs.
Third: The ”Silicon-valley beacon”. Image below:
Tradeleaks tells Facebook, Google, Reinvogorate and Recaptcha that you have submitted a leak. The front page also tells Twitter. That’s like half of Silicon valley… They should never have this information. Just look at the Twitter (and probably lots of other) subpoenas!
The Technical Contact for Tradeleaks.com is:
Tradeleaks Pty Ltd
IT Department (email@example.com)
PO Box 439
Albert Park, Australia 3206
5000 Walzem Road
So, once again: I really like the concept of more leak sites. And I am very happy to see more and more of them. But security is always the first issue, and these scripts, the failure of end-to-end encryption and the log files may put people in danger. If I were a Facebook or Google employee leaking information, I wouldn’t want scripts to call home to my boss, that is for sure.