OpenLeaks is a planned platform like WikiLeaks, founded by ex-Wikileaks member Daniel Domscheit-Berg. It's been announced a while back and a beta is currently presented in cooperation with the newspaper taz during the Chaos Communication Camp (where I am right now).

I had a short look and found some things noteworthy:
The page is SSL-only, any connection attempt with http will be forwarded to https. When I opened the page in firefox, I got a message that the certificate is not valid. That's obviously bad, although most people probably won't see this message.

What is wrong here is that an intermediate certificate is missing - we have a so-called transvalid certificate (the term "transvalid" has been used for it by the EFF SSL Observatory project). Firefox includes the root certificate from Go Daddy, but the certificate is signed by another certificate which itself is signed by the root certificate. To make this work, one has to ship the so-called intermediate certificate when opening an SSL connection.

The reason why most people won't see this warning and why it probably went unnoticed is that browsers remember intermediate certificates. If someone ever was on a webpage which uses the Go Daddy intermediate certificate, he won't see this warning. I saw it because I usually don't use Firefox and it had a rather fresh configuration.

There was another thing that bothered me: On top of the page, there's a line "Before submitting anything verify that the fingerprints of the SSL certificate match!" followed by a SHA-1 certificate fingerprint. Beside the fact that it's english on a german page, this is a rather ridiculous suggestion. Checking a fingerprint of an SSL connection against one you got through exactly that SSL connection is bogus. Checking a certificate fingerprint doesn't make any sense if you got it through a connection that was secured with that certificate. If checking a fingerprint should make sense, it has to come through a different channel. Beside that, nowhere is explained how a user should do that and what a fingerprint is at all. I doubt that this is of any help for the targetted audience by a whistleblower platform - it will probably only confuse people.

Both issues give me the impression that the people who designed OpenLeaks don't really know how SSL works - and that's not a good sign.

Ich hatte vor einer Weile schon für das Volksbegehren zur Offenlegung der Berliner Wasserverträge hier geworben.

Zwischenzeitlich hat es einige Entwicklungen gegeben. Die notwendigen Unterschriften wurden gesammelt, wenige Tage später veröffentlichte die taz die Verträge im Internet. Dadurch wurden die meisten Befürchtungen, die vorher nur auf Gerüchten basierten, bestätigt.

Doch das Volksbegehren bezog sich nicht nur auf die Verträge über die Berliner Wasserversorgung. Es soll ganz generell Transparenz über Verträge zwischen der öffentlichen Hand und privaten Firmen herrschen. Weiterhin sollen Verträge, die nicht veröffentlicht werden, auch nicht gültig sein. Die Details sind etwas komplexer, wer sich für näheres interessiert, darf gerne die umfangreiche Webseite des Berliner Wassertischs besuchen.

Weswegen ich eigentlich schreibe: Der Volksentscheid hierüber findet morgen (Sonntag) statt - und alle BerlinerInnen, die hier mitlesen, möchte ich auffordern, hinzugehen und mit "Ja" zu stimmen.

Update: Ich lag mit dem was ich da geschrieben (und nun durchgestrichen) habe wohl nicht ganz richtig (sorry, habe mich unzureichend informiert) - tatsächlich bezog sich das Volksbegehren »nur« auf die Wasserverträge. Außerdem: Nach aktuellem Stand war der Volksentscheid erfolgreich!