Which Presidential Candidate Has Enabled the Baseline of Security on Their Site?

Policies and programs are great, but what about web crypto?

|
Apr 13 2015, 4:11pm

​Image: mistydaw​nphoto/Shutterstock

November 2016 is just around the corner—well, not really, but you know the drill. In America, it's already presidential election season.

Four candidates have already come out to announce their bid for Barack Obama's seat in the oval office. And Americans are already bracing for almost eighteen months of restless and exhausting media coverage.

But forget about Hillary's past personal scand​als, Marco Rubio's silly waterga​te, or Rand Paul's anti mass-surv​eillance ideas. Let's look at the candidates with the eyes of a geek.

Better yet, it's 2015 for god's sake, who cares about the candidates. Let's look at their websites and how secure they are. After all, it's the age of "encrypt all the things" on the web.​

"As the internet becomes even more ingrained in our everyday lives, the next president must know that internet security for them—and for users—is non-negotiable," Amie Stepanovich, the senior policy counsel at Access, an organization that launched the "Encrypt all the ​Things" campaign, told Motherboard.

"The next president must know that internet security for them—and for users—is non-negotiable."

We'll see if the next president loves all kinds of encryption as much as we do, but we should expect her, or him, to at least encrypt their own site. After all, even the White House is pushing for all government sites to be encrypted by default.

Paul Schreiber, a senior web developer at political and data site FiveThirtyEight, did exactly that, and examined ​and compared the security and configuration of the four candidates' websites.

"So, you want to run a country. Can you hire someone who can run a website?" he wrote, adding that nowadays, the most important thing to look at in a site is its security, or, more specifically, whether it's encrypted with HTTPS or not.

Switching a website to HTTPS consists of putting a layer of protection of top of regular HTTP traffic, which is all in the open and vulnerable to snoops. To do that webmasters use Transport Layer Security (TLS) or the older Secure Sockets Layer (SSL). Other than adding a simple "S" at the end of the URL, a website that's encrypted makes every connection to it more secure and private.

And according to Schreiber's analysis, it looks like Hillary Clinton and Marco Rubio are the frontrunners for the privacy-minded geek vote.

Hillary Clinton and Marco Rubio are the frontrunners for the privacy-minded geek vote.

Their sites not only supports HTTPS, but are encrypted by default, meaning they force all visitors to the encrypted HTTPS version.

Rand Paul, this year's most vocal anti-surveillance candidate (he's even ​selling anti-NSA webcam stickers and ​accepts Bitcoin for donations) actually doesn't have HTTPS by default enabled. If you type randpaul.com, you go to the the unencrypted site.

Ted Cruz's site has the same issue, with the added minus that if you try to visit https://tedcruz.org (without the www. at the beginning of the URL) you get a 404. Another sign that Ted Cruz isn't very good at this new thing called the internet.

"I was curious to see how presidential candidates fared: did their sites meet current best practices for website development?" Schreiber told Motherboard. "Sadly, when it comes to HTTPS, most did not."

Supporters of encryption are applauding Schreiber's project.

"I love this post, and I'm really happy we're in a place where presidential candidates get evaluated on their tech and privacy stack," Eric Mill, a technologist at 18​F, told Motherboard.

Mill, who's been pushing for more web encryption across the internet, added that Schreiber's doesn't take into account other factors related to privacy, such as how many third parties trackers a website contains. In the case of hillaryclinton.com, it's a whopping 18, according to Mill's own quick anal​ysis. (He still has to look at other candidates sites).

"Since campaign staff often become governing staff, it's also quite reasonable to use it as evidence of how they'd manage tech if elected."

And this is not just a trivial, geeky effort. Mill explained that "since campaign staff often become governing staff, it's also quite reasonable to use it as evidence of how they'd manage tech if elected."

And while this, as Schreiber put it, is "only a small piece of the puzzle," keep it in mind when you head to the polls next year.