From LeakDirectory

Jump to: navigation, search


General Notes

The original website made so many anonymity and security errors that it has now, thankfully, been replaced by a much better website (still to be launched).

Our notes and analyses of the original false start website, to educate potential whistleblowers and whistleblower website operators about some of the mistakes to avoid can still be accessed via:


Update 10 June 2012 - use of CloudFlare content delivery network

Still no launch or publication of any whistleblower leaks, or of the promised privacy and acceptable use policy by

They seem to be experimenting with the CloudFlare content delivery network, which whilst providing extra bandwidth and resistance to Denial of Service attacks. Rather like Google, CloudFlare also seems to treat some Tor Exit Nodes as "suspicious" or "virus infected" (some of them do get abused) even when your local computer is not. This can lead to the triggering of a CAPTCHA page which is full of third party tracking graphics, which betray the visitors' IP address and web browser details etc. - not acceptable for whistleblower source anonymity protection.

If this does happen, you should break your current Tor connection and Re-Connect via a different Tor Exit Node,ideally after a plausibly deniable delay. Check the IP address first before going to the whistleblower website e.g. by going to the Home page configured by default in the Tor Browser Bundle.

Alternatively you can simply use the TOR hidden services which are not protected by CloudFlare.

Update 19 May 2012

Brileaks launches an anonymous support desk system:!/BritileakTech/status/203840309505966081.

On date 19 May 2012 (some minutes after it's launch) a persistent XSS vulnerability has been reported on the page for creation of a new ticket: Within 25 minutes the issue was resolved.

No SQL injections have been found in the system.

Update 05 April 2012

Still not yet launched, but they have been "open alpha" testing their website.

Still plenty of spelling mistakes (dyslexia ?) and text copied straight from the defunct WikiLeaks submission system.

Their promised detailed Policy / Disclaimer about exactly what is and is not acceptable for publication, which should also be gathering feedback from potential users of the website, is still secret.

SSL Site

Their site can be accessed via SSL now: Note the 444, this is required as the default port 443 running

Oh; forgot to mention we registered, redirects to SSL (SNI is a bitch).

Update 3rd January 2012

On BritiLeaks Tumblr they have written the following:

I would like to make a few notes on Leak Directory.
A) Their Wiki is full of spam, a sign of truly bad administration: e.g. 
B) They utilise a exploitable version of MediaWiki:
C) They have criticised us for loading Twitter graphics, from Twitter; yet they, in an attempt to prevent spam load use Recaptcha (from Google’s servers).
D) Their SSL configuration is absolutely awful.
They criticise our smallest, inane mistakes; it would be interesting to see how they would react if we did any such things. Just to note; we are not against or opposed to LeakDirectory (in fact we been using some elements of our LeakDirectory page to find, and resolve issues), just find the above interesting.
LeakDirectory responded on Twitter:

@BritileakTech Thanks for notes. Please consider that LeakDirectory it's just a public wiki with anonymous editing. We don't handle *leaks

Update 1st January 2012 Tor Exit Node

UPDATE: BritiLeaks have stated they will not sniff any traffic from their exit node.!/BritileakTech/status/153504480720199680

@BritileakTech BritiLeaks Techies

As a few of you have noticed we are also a Tor exit node as as a rather crude way to hide trails further.

3:54 PM, Jan 1st 2012

One of the accusations against was that their initial cache of alleged whistleblower leak documents was the result of unethically sniffing the traffic from Tor Exit nodes under their, or their associates control. need to clearly state that they will not do this.

Running a Tor Exit node should be welcomed by other whistleblowing websites making use of Tor.

However, it does increase the chances of legal subpoenas, complaints to and blocking by ISPs or by Government or corporate content filtering systems, which may adversely affect the number of people who can access in order to submit a whistleblower leak.

There may be some impractical anonymity correlation attacks (by the theoretical Global Passive Adversary) against the Tor Hidden Services if they are being run on the same machine as the Tor Exit node.

The BRITILEAKS [] Tor Exit node is running the old, critically unpatched version version of the software

Update 1st January 2012 Disclaimer / Publication Policy text

A draft of the promised Disclaimer has been published:

This is quite ambitious in scope and many more detailed questions will be asked and need to be answered:

Note the apparent Author's name left in the EXIF meta data of this document.

BritiLeaks accepts and publishes material that is:

• Of significant; political, ethical, diplomatic or historical value. • Under active censorship, or pressure for its removal, or previously unreleased. • Not be myth, or rumor, or untrue. [sic]

You can see that this section has been influenced by the original promises, which they did not always stick to.

Treatment of sources:

• BritiLeaks will NEVER co-operate with anyone trying to track a sources identity.

• BritiLeaks will NEVER disclose a sources identity.

Can that be trues even if people are served with legal threats, or are arrested, or if violence is threatened against them or their families ?

• BritiLeaks online submission system makes it impossible for BritiLeaks to know a sources identity.

• BritiLeaks uses laws in many different countries (e.g. Belgium, Sweden, Iceland) to help protect the source.

"a sources identity" should probably have an apostrophe i.e. "a source's identity"

Another bit of influence

Just connecting to the internet in those countries does not guarantee that their journalism protection laws are invoked, if it did, then the North Korean, Chinese and Iranian censorship laws (and death penalties) would also apply equally e.g. you need to be a Registered Journalist in Sweden to take advantage of their press protection laws.

• BritiLeaks submission system is fully encrypted (often with layered encryption).

• BritiLeaks servers do not keep ANY logs about the visitors.

• We format information in such a way that all trails to the source are destroyed; any unredacted versions are destroyed.

What is the redaction / censorship policy, in detail ?

How will check that the whistleblower source is genuine ?

• BritiLeaks follows many protection policies; many are not listed here to protect sources.

These other policies also need to be transparently published and discussed

• BritiLeaks will immediately destroy information about the sources identity if received.

Is this data destruction proof against forensic data recovery, if computers or removable storage media are seized as evidence in a leak investigation or are lost or stolen ?

BritiLeaks will, to the fullest of its ability:

• Protect the source.

• Give the material as much press attention as possible.

• Give the material the biggest impact, politically, socially, and historically.

"as much press attention as possible" means issuing proper Press Releases, establishing face to face relationships with journalists for "exclusive" first access to stories and avoiding Julian Assange style accusations of "betrayal" by the mainstream media.

At the very least BritiPress / BritiLeaks need to provide full email and phone number contact details, official Press release web pages, press and media email subscription lists, RSS feeds etc. and to have credible spokesmen ready to be interviewed ahead of tight publication deadlines. A semi-anonymous Twitter feed as the only method of contact will not achieve this.

• Keep the information available to the public; despite pressure to remove it.

Does that include a promise to keep previously published material online, even when news whistleblower submissions are suspended for various reasons (something which failed to do).

• Defend the material against attacks.

Attacks from whom ? What sort of attacks ?

• Ensure people are not harmed by the release.

This last point needs to be spelled out in detail.

Topics not covered:

Who are the people behind ?

Where does the money come from ?

Why should a whistleblower trust rather than another website (or none at all) ?

Update 1st January 2012

  • The prelaunch home page
    • They have now removed the "follow button" graphic images pulled directly from Twitter's webservers, which were handing over all visitors IP address and web browser details to a webserver not under BritiLeaks control - BritLeaks may claim not to hold such logfiles which can be legally or illegally seized, but Twitter etc. certainly do
    • They promise they will be moving their main site to Sweden soon. There are no issues with the Icelandic one.[see Discussion page]
    • Disclaimer: Note the apparent Author's name left in the EXIF meta data of this document.
    • Notes on the submission system are promised also.

    Update 31st December 2011 / 1st January 2012

    UPDATE: BritiLeaks have quickly pulled the browser bundle of line, after a few hours of being online; with this message:

    "The BritiSubmit application was accidentally released, it was meant to be a version for internal testing only. Has been removed."

    An earlier tweet reveals:

    Excuse the sudden change in; doing some experimenting.

    Submissions were still not accepted in this period.

    In the directory, a now deleted version of a newer version of the Browser bundle was found. It also contained an encryption application and the bundle could only could connect to the SecureSubmissionSystem using SSL.

    This is another example of how whistleblower websites have to be extremely professional when it comes to software releases and patches, otherwise they risk utterly damaging their credibility and reputation, even before it has gained a critical mass of support, just like the Haystack debacle


    We strongly advise you use the BritiSubmit tool available at the following links: Mac Windows, if you are able to run it, it will add aditional protection to the system such as the Tor network, on the same page we offer support to whistleblower support. [sic]

    Before being taken offline the "BritiSubmit tool" appears to have been be a badly configured, unacknowledged copy of a recent, but critically vulnerable version of the Tor Browser Bundle. would be better off simply mirroring the latest Tor Browser Bundle software (with Digital Signatures) on their own server and writing, or pointing to, the appropriate setup instructions and anonymity warning caveats.

    However as a positive they have integrated internal Tor bouncing, which will help protect a sources identity; however little. This is similar to what WikiLeaks did prior to their submission system being taken offline.

    {see the Discussion page for questions about the utility of this feature)

    Update 28th December 2011

    It is now claimed their submission system is ready, and it will be launched alongside their first leak.

    Obviously this "first leak" will not have been submitted publicly through the new submission system (the "chicken and egg" dilemma of all new public websites)

    There does not appear to be any plan for a public beta test of the submission system before launch.

    This Tweet hints that this "first leak" may have something to do with Jemima Khan:!/BritiLeaks/status/150989623173185536 
    @BritiLeaks Briti McLeaky
    @Jemima_Khan Ms. Khan, We'd like to speak to you at some point in the near future when
    you're free. Merry Christmas,
    5:21 PM, Dec 25th 2011

    Their SSL technologies have been made even better than they already were, supporting TLS 1.1 and TLS 1.2 alongside many other improvements, such as better Cipher Strength

    This is better than almost all other whistleblowing, official government tipoff, internet banking or e-commerce websites

    N.B. SSL encryption is only part of the toolkit needed to help preserve the anonymity and security of potential or actual whistleblowers or to protect the whistleblowing website infrastructure from legal or illegal attacks.

    The tech team may be supported by MJSAHost teaser screenshot

    N.B. the spelling mistakes and awkward grammar illustrated in this screenshot need to be fixed before launch.

    The Pre-Launch web page now no longer includes any email contacts, only Twitter feeds (i.e. only a single point of failure / target for legal injunctions or subpoenas or censorship):

    Update 11th December 2011

    The new secure submission system is still promised "in a few days".

    However, have now started mirroring other websites, something which if reciprocated, will strengthen their resistance to legal or illegal censorship.

    The downside is that they have to decide if all of the content of all of the other websites they are mirroring, is acceptable within their (still as yet undisclosed) publishing policy disclaimer.

    There also now seems to be sort of parallel Press Release website project, also currently not yet launched, using CloudFlare

    BritiPress @BritiPress

    Sister media organisation of @BritiLeaks.

    Everywhere. ·

    Update 4th September 2011 have now abandoned their use of free webspace in favour of a new website hosted in Iceland

    ==Welcome to BritiLeaks.== Note: BritiLeaks is nearly ready to launch, we will be online with a advanced secure submission system in a few days.

    BritiLeaks is an originally British based non-profit news organization designed for publishing important news stories around the world;

    The original website seemed to be set to concentrate just on the United Kingdom, they now seem to have world wide ambitions.

    this is based on a whistleblowing interface where we offer a legally and technically protected way for sources to deliver important information to us.

    It will be interesting to see what legal protections they claim to offer.

    Britileaks publishes genuine material that is of political, ethical, diplomatic or historical value, that is unreleased or under active censorship (read our disclaimer for more information) regardless of which country it concerns. This way we can uncover hidden wrong doing by provide real evidence rather than media speculation, and political views that modern media has descended into. We promise maximum impact our releases, as well as keeping the material available and ensuring innocents are not harmed amongst many promises which you can read in our disclaimer.

    BritiLeaks is currently not yet ready for launch, but we are 99% complete.

    We crush corruption.

    The as yet unpublished Disclaimer will need to be analysed carefully

    The old Twitter feed seems to have gone silent:!/britileaks

    Briti McLeaky

    @BritiLeaks UK

    Exposing corruption in the UK and Great Britain

    There are two additional feeds:!/BritiPress is mentioned on their main site, and possesses the domain "".

    "Sister media organisation of @BritiLeaks."

    Also there is:!/BritileakTech

    BritiLeaks techies.

    @BritileakTech BritiLeaks Tech Dept.

    Tweets from the Britileaks tech team; site updates, recruitment, news, releases.

    This announces the new updated home page, promising a new secure submissions system

    They seem to be offering two Tor Hidden services

    to the main site


    and to


    Both and point to the same server hosted in Iceland

    Contact Details

    Press Enquiries
    General Enquiries
    telephone: none
    fax: none
    email address:

    N.B. the current home page does not provide any such contact details, these are from the old website version(s)

    Postal Address:

    Social Networking publicity




    Blog / RSS


    Financial Donation methods


    Currently accepting submissions of whistleblower leaks ?


    Planned Submission system launch date ?

    Soon ? (as of 5th April 2012)

    Restrictive legal Terms & Conditions

    No - see the ambitious Disclaimer

    Practical Advice on preserving Whistleblower Anonymity


    A few common sense whistleblower anonymity tips from the Centre for Investigative Journalism, advice and screenshots about installing Tor (but the Tor Hidden Service http://pwi7cqrqep7u7ggg.onion seems to be down) , Internet cafes and open Wi-Fi (needs to be expanded) using a 3G data dongle, a (non-functional) Postal submission network (a la WikiLeaks)

    Leak Submission Encryption

    Digital Certificate fingerprints published on their website:

    Yes, on

    SHA1: C0 C5 BE 3B D4 0C 8B 32 26 88 A4 42 24 BC 3D 43 0E B2 82 F2

    MD5: 5C A0 48 D3 C8 24 FD 22 2E 6A 90 BD 16 EF 1C EA

    Qualsys SSLLabs SSL Server Test rating:

    Overall rating: A [98]

    Certificate: 100

    Protocol Support: 95 - Due to their decision to support all TLS protocols, should be perfectly fine.

    Key Exchange: 100

    Cipher Strength: 100

    Issuer: StartCom Ltd.

    Includes Secure Renegotiation, Strict Transport Security and resistance to BEAST man in the middle attacks - i.e. better than most other whistleblower or official government tipoff websites or most internet banking or e-commerce websites

    As @BritleakTech mention on their Twitter stream, the BEAST vulnerability is probably not an issue as they do not currently use cookies on their website.

    PGP Public Encryption Key

    After their disastrous start with publishing a PGP key, they do seem to have finally mastered the use of PGP.

    We will wait to see if the PGP Key we have corresponded with is the one which they publish on the new site.

    TOR Hidden Service

    They seem to be offering two Tor Hidden services

    to the main site


    and to


    I2P eepsite



    Hushmail Secure Form


    Leak Submission Anonymity

    TOR users blocked from access


    3rd Party or persistent tracking cookies or graphics

    Yes No

    They are currently pulling Twitter follow button graphics from Twitter's own webservers, rather than copying the images and serving them locally from their own webserver.

    They have now removed the offending Twitter graphics images

    CAPTCHA graphics generated from another website e.g. Google Re-Captcha


    Mixed mode non-SSL graphics or style sheets


    Embedded video clips etc. from another website e.g. YouTube


    Flash file uploader class


    Communications / Acknowledgement back to the whistleblower via the website

    Acknowledgement of receipt of information

    e.g. file upload success indicator - has the leak message or upload actually been received successfully ?

    Not really

    There is a misspelled and somewhat pretentious Thank You page

    Thank You.

    What you have done today could change the cource of history.

    All we ask of you now is to maintain your annonimity.

    BritiLeaks, powered by you.

    We crush corruption. Powered by MJSAHost.

    Leak analysis work flow status reporting

    e.g. Has anyone actually looked at what the whistleblower has submitted ?


    Private message box

    e.g for 2 way communications back to the anonymous whistleblower, asking for clarification, offering advice etc.


    Domain Name Resilience

    Domain Name Registrar [] is in the United States of America (USA) [] is in the United States of America (USA)

    USA based registrar Enom Inc. [] forwards to

    N.B. is potentially very vulnerable to US legalistic censorship as it seems to be a controversial GoDaddy domain and are provided by MJSAHost.

    Multiple Internet Service Providers, in different legal jurisdictions ?


    Domain Name Server(s) & jurisdiction(s)

    All in the USA legal jurisdiction



    Web Server hosting jurisdiction(s) []

    and []

    (N.B. same IP address)

    are both hosted in Iceland by

    Alternate Domain Name aliases

    Actual Physical Mirrors of the website:


    Content officially available via BitTorrent etc P2P etc.


    Hosting of Mirrors of other whistleblowing websites


    Mirrors maybe torrents or direct downloads;

    Current mirrors:



    "TPCrawler" by IcyApril (
Personal tools