OpenLeaks.org is a current work in progress by former WikiLeaks.org people, including [Domscheit-Berg] with the intention of providing a whistleblowing infrastructure for local whistleblowers and the mainstream media and non-governmental organisations, without the controversy associated with Julian Assange and WikiLeaks.org
They should have much to contribute in terms of computer infrastructure security, anonymity and scalability experience, but their system, like that of Wikileaks.org / WikiLeaks.ch itself, is not currently accepting any whistleblower submissions.
See Andy Greenberg's article:
Domscheit-Berg argues that leaking sites’ security measures don’t need to be as tight as WikiLeaks were during Domscheit-Berg’s time with the group – they need to be tighter. Adversaries of leaking like corporations, law enforcement and intelligence, he says, have ramped up their security measures in the wake of WikiLeaks record-breaking breaches. “WikiLeaks appeared out of nowhere,” says Domscheit-Berg. “It cause a lot of new problems no one had thought about before. Now they’ve thought about this whole thing for a bit. The dust has settled. And it will never be as easy again.”
That means facilitating leakers needs to become more systematic and rigorous, Domscheit-Berg says.
Update 05 February 2012
The self signed Digital Certificate for openleaks.org has been allowed to expire on 18th October 2011, which rather casts doubt on whether the project is still active or not in February 2012.
There are Twitter rumours that Daniel Domscheit-Berg has been re-admitted into the Chaos Computer Club, after making it clear that the OpenLeaks.org project is not officially endorsed by CCC i.e. something which almost nobody outside of the CCC bureaucracy thought was either true or important.
Update 21 August 2011
The publicity about this test preview of the OpenLeaks.org submission system, the temporary https://leaks.taz.de website has lead to controversy in Germany. It was used as the excuse to expel Daniel Domscheit-Berg from the Chaos Computer Club.
The real reason for his expulsion seems to be related to a single copy of an encrypted disk, which which Julian Assange was the only person to have the cryptographic keys, but which was in the physical possession of Daniel-Domscheit Berg possession of when he and the other main technical team members left WikiLeaks.org last year.
The main effect on OpenLeaks.org of this expulsion may be to make it impossible for them to make use of the Wau Holland charitable foundation as a conduit for financial contributions, a service which they provide to the WikiLeaks.org project. see
Update 08 September 2011
Daniel Domscheit-Berg is reported as having now destroyed the encrypted data from WikiLeaks.org, citing the need to protect whistleblower sources, something which WikiLeaks.org still cannot be trusted with.
The propaganda and threats aimed personally at Daniel Domscheit-Berg by WikiLeaks.org fanatics, to somehow blame him for their own security failings and incompetence (WikiLeaks.org leaked their own "crown jewels" leak of unredacted US Diplomatic Cables online through BitTorrent and by stupidly re-using a cryptographic password) may make it difficult or impossible for the OpenLeaks.org project to proceed as planned.
Whistleblower websites need to learn from these personnel and procedural failures - technology is only part of the anonymity / security / trust / publicity / publishing system that such websites aim to achieve.
* email: email@example.com
* telephone: +49 30 57706454 0 * fax: +49 30 57706454 9 * email address: firstname.lastname@example.org * OpenLeaks on Skype: OpenLeaks@skype.com
Social Networking publicity
Mainstream media print and broadcast journalists and politicians etc. i.e. influential people at which whistleblower leaks are targeted, are busy people, but can sometimes be enticed to read about whistleblower issues through Twitter or FaceBook or Blog RSS feeds etc.
While we would like to use the twitter account we registered (openleaks), we can not because something is wrong with the account. We tried to recover it through the official process of working together with twitter but were turned down.
Financial Donation methods
Methods of accepting payments from the the public and supporters, also come under political and legal pressure, as WikiLeaks.org have learned to their cost:
OpenLeaks.org is currently soliciting money through several payment methods:
Currently accepting submissions of whistleblower leaks ?
Planned Submission system launch date ?
- perhaps after the Chaos Communication Camp in the Summer of 2011
10|11|12|13|14th August 2011 at Finowfurt (near Berlin), Germany
Leak Submission Encryption
Digital Certificate fingerprints published on their website:
The SSL certificate we use for this website has the following fingerprints:
* SHA-1: 14:1F:81:F7:A2:F6:01:52:4C:82:B2:94:43:6D:5C:D9:A4:65:22:C5 * MD5: D9:83:FC:4D:6A:65:F8:2F:85:CA:20:2C:F2:93:3C:A8
The serial of the certificate is 0A:1D:E6.
N.B. these published cryptographic hash fingerprints now do actually match the currently installed Digital Certificate - there have been 2 or 3 Digital Certificate changes between January and May 2011.
This self signed Digital Certificate has been allowed to expire on 18th October 2011, which rather casts doubt on whether the project is still active or not in February 2012.
It is a good idea to publish these on the website, but only if the web page and the installed certificate are actually kept up to date.
Qualsys SSLLabs SSL Server Test rating:
Overall rating: F 
Protocol Support: 85
Key Exchange 80
Cipher Strength: 90
No weak cipher suites or deprecated SSL 2.0 protocol, but because this is a self signed Digital Certificate, some potential users will refuse to trust this website, or their web browser configurations will prevent them from trusting this website.
When OpenLeaks.org launched their website back in January 2011, they did use a commercial Digital Certificate from GlobalSign nv-sa, which they abandoned for some undisclosed reason.
N.B. The DNS entries for OpenLeaks.org have a second A record which points to another IP address:
perhaps for resilience or development, but which does not currently have any public Digital Certificate installed.
PGP Public Encryption Key
PGP ID: 0xB52DC7BA
Type: RSA 4096/4096
Cipher: AES 256 bit
PGP Fingerprint: 42CC E8DE 2463 8F46 8D9B 86A3 21D6 A86F B52D C7BA
TOR Hidden Service
Domain Name Resilience
The threats of legal court proceedings against Domain Name Registrars and Domain Name Service providers are lessons which WikiLeaks.org emulators should take note of:
Domain Name Registrar
Web Commerce Communications Limited dba based in Kualar Lumpur, Malaysia
Multiple Domain Name Service providers, in different legal jurisdictions ?
1984.is is based in Iceland
afraid.org is based in California, USA
OpenLeaks.org is hosted in Germany
Alternate Domain Name aliases
The following alternate domains are currently available:
* openleaks.org [220.127.116.11] and [18.104.22.168] * openleaks.net [22.214.171.124] and [126.96.36.199] * openleaks.rs [188.8.131.52] * openleaks.ws [184.108.40.206]
Actual Physical Mirrors of the website:
Content available via BitTorrent etc P2P etc.