Recently the Ministry of Defense has created a internal channel of complaints and information. In such a way that whistleblowers, especially if they are in the organization, do not see their safety compromised and suffer possible retaliation or harassment.
When I read such news, the truth is that I was skeptical when they said that it would be a safe channel, and the truth is that what they have done (even though it could be improved), is much better than what I expected.
The system in question provides two channels, one postal and the other telematic:
- Postal channel: Possibly many of you, I had that misconception, that sending a letter needed a sender. Nothing is further from reality. You can perfectly send a letter without a return address, and deliver it either at the office or leave it in a street mailbox or in the office mailbox itself. Some will think of security in this way, but let's remember that letters are scanned, both at the Post Office and (in theory) upon arrival at public organizations. But there are still flaws, the famous case of bullets in envelopes comes to mind.
- Telematic channel. Perhaps the one that most affects those of us who are dedicated to CIS security. Well, in this case, Defensa advises the use of the Tor network to carry out the procedure, remember that the Tor browser by default makes 3 node jumps, and in its FAQ It also does not recommend changing the number since if there are few users with a strange number of hops it would be easier to identify. It then puts the address into the Tor network format for your connection.
Well, as I mentioned, the use of the Tor Network is suggested on the telematic channel, it is not obligatory. Furthermore, this option is somewhat hidden from the first glance, and does not stand out. Which seems like a mistake to me. So what is the default telematic route? Well, a form, which opens another page with its corresponding SSH/TLS. And despite having a reliable certificate installed, and that it includes the regulations it is under such as the European Directive 2019/1937, the ISO 37002 standard and the General Data Protection Regulation 2016/679, it has certain issues to review.
Since, looking a little deeper we can see some details that, even though they are safe, draw attention.
The certificate in question is issued by Geant OV, which is a certificate management organization, in this case an RSA2048 public key and a SHA256 fingerprint are used, valid for 1 year. In turn, Geant is certified with the well-known entity of Sectigo and UserTrust.
This catches my attention and I wonder why we haven't used our own certifying entities? As the FNMT, which also offers this type of services.
It's not that it makes me distrustful, but it is at least curious.
I think that more initiatives like this are needed in all levels of the AAPP, and that its officials or workers feel safe if they have to report something. But certainly this process must be more transparent and make it more reliable.
English 
Spanish