It’s one of the most fundamental rules of online security: if you’re asking for sensitive information such as a credit card number, you should use a technology called SSL, or Secure Sockets Layer. This type of encryption is built into all modern web browsers, and it prevents people who are eavesdropping on your communications from snatching your sensitive data.
Ted Cruz’s website poses unnecessary security risks for donors
This morning, Sen. Ted Cruz (R-TX) announced his presidential campaign, and he launched a website that solicits campaign donations. But it doesn’t show the little icon that indicates SSL is enabled:
On SSL-protected websites, there should be a padlock icon in the address bar, like this:
As it turns out, the website does use SSL when users actually submit their credit card information. But there are two big problems with the way this is implemented. One is that the lack of SSL protection for the donation page as a whole means that the user is vulnerable to a “man in the middle” attack, where someone impersonates the Cruz website and directs the user to a malicious site instead.
Second, there’s no way for ordinary users to know if their credit card details are encrypted or not. For more than a decade, users have been trained to look for that lock icon before submitting personal information. The way Cruz built his website encourages users to do something dangerous: submit personal credit card information without knowing if it’s secure or not. If this practice became widespread, users will be more vulnerable because they’ll never know if their information is secure or not.
It turns out that the Ted Cruz for president site does offer SSL protection if you navigate to it directly by adding an “https://” in front of the address. However, when I go there with Chrome, I get the not-very-reassuring message that “this page includes other resources which are not secure,” meaning that some parts of the webpage are encrypted and others are not. And then there’s this:
This is the SSL certificate for tedcruz.org, the digitally signed document that’s supposed to prove you’re really visiting tedcruz.org rather than an imposter site trying to steal your credit card number. SSL certificates sometimes list alternative addresses for the same website. For example, if Cruz also owned tedcruz.com, the SSL certificate could list that as an alternative domain.
For some reason, the SSL certificate for tedcruz.org lists nigerian-prince.com as another valid address for Cruz’s website. (Update: the Cruz campaign appears to have removed nigerian-prince.com from the certificate around 11am.)
Thanks to Twitter user Pwn All the Things for pointing this out.
A Ted Cruz campaign spokesman responded in an email statement: "The donate form embedded on TedCruz.org has SSL. All donations are and have always been secure. Our website earns an A-grade for its SSL."
Correction: This article originally stated that the site doesn’t use SSL encryption at all. In fact, the submission of the credit card data is encrypted, but the lack of encryption for the donation page as a whole creates unnecessary risks for user security, as explained above.
See More:
