It’s one of the most fundamental rules of online security: if you’re asking for sensitive information such as a credit card number, you should use a technology called SSL, or Secure Sockets Layer. This type of encryption is built into all modern web browsers, and it prevents people who are eavesdropping on your communications from snatching your sensitive data.
This morning, Sen. Ted Cruz (R-TX) announced his presidential campaign, and he launched a website that solicits campaign donations. But it doesn’t show the little icon that indicates SSL is enabled:
On SSL-protected websites, there should be a padlock icon in the address bar, like this:
As it turns out, the website does use SSL when users actually submit their credit card information. But there are two big problems with the way this is implemented. One is that the lack of SSL protection for the donation page as a whole means that the user is vulnerable to a “man in the middle” attack, where someone impersonates the Cruz website and directs the user to a malicious site instead.
Second, there’s no way for ordinary users to know if their credit card details are encrypted or not. For more than a decade, users have been trained to look for that lock icon before submitting personal information. The way Cruz built his website encourages users to do something dangerous: submit personal credit card information without knowing if it’s secure or not. If this practice became widespread, users will be more vulnerable because they’ll never know if their information is secure or not.
It turns out that the Ted Cruz for president site does offer SSL protection if you navigate to it directly by adding an “https://” in front of the address. However, when I go there with Chrome, I get the not-very-reassuring message that “this page includes other resources which are not secure,” meaning that some parts of the webpage are encrypted and others are not. And then there’s this:
This is the SSL certificate for tedcruz.org, the digitally signed document that’s supposed to prove you’re really visiting tedcruz.org rather than an imposter site trying to steal your credit card number. SSL certificates sometimes list alternative addresses for the same website. For example, if Cruz also owned tedcruz.com, the SSL certificate could list that as an alternative domain.
For some reason, the SSL certificate for tedcruz.org lists nigerian-prince.com as another valid address for Cruz’s website. (Update: the Cruz campaign appears to have removed nigerian-prince.com from the certificate around 11am.)
Thanks to Twitter user Pwn All the Things for pointing this out.
A Ted Cruz campaign spokesman responded in an email statement: “The donate form embedded on TedCruz.org has SSL. All donations are and have always been secure. Our website earns an A-grade for its SSL.”
Correction: This article originally stated that the site doesn’t use SSL encryption at all. In fact, the submission of the credit card data is encrypted, but the lack of encryption for the donation page as a whole creates unnecessary risks for user security, as explained above.
What is SSL?
SSL, short for Secure Sockets Layer, is a family of encryption technologies that allows web users to protect the privacy of information they transmit over the internet.
When you visit a secure website such as Gmail.com, you’ll see a lock next to the URL, indicating that your communications with the site are encrypted. Here’s what that looks like in Google’s Chrome browser:
That lock is supposed to signal that third parties won’t be able to read any information you send or receive. Under the hood, SSL accomplishes that by transforming your data into a coded message that only the recipient knows how to decipher. If a malicious party is listening to the conversation, it will only see a seemingly random string of characters, not the contents of your emails, Facebook posts, credit card numbers, or other private information.
SSL was introduced by Netscape in 1994. In recent years, there has been a trend toward major online services using encryption by default. Today, Google, Yahoo, and Facebook all use SSL encryption by default for their websites and online services.
When implemented correctly, SSL is believed to be highly secure. But in 2014 a number of problems were found in widely used SSL software. In February, a serious flaw was discovered in Apple’s implementation of SSL. The next month a flaw was found in another SSL implementation that was popular with open source operating systems. The most serious vulnerability, known as Heartbleed, was discovered in April. It affects OpenSSL, which is installed on a majority of the world’s web servers.
Ted Cruz’s website poses unnecessary security risks for donors
No comments:
Post a Comment