Campaign Sites - Security
Today lets have a gander at campaign site security at a high level—I’ve set up sample transactions to the point where I would have to commit sensitive data on all the party web sites, but I’ve no intention of sending actual financial transactions to any party over the web. What I’ve found is that all campaign sites purport to offer secure financial transactions over the web, however, one completely failed to live up to their promise…
All sites offer secure communications via encrypted https secure socket layer; unfortunately the implementation of some of the campaign web sites makes it possible for a user to intentionally or unintentionally enter sensitive information on an insecure page.
The Winners: All parties except for the Conservative Party provide links to secure pages off their primary web pages. Both the Liberal and the Green Party websites go a step further and smartly redirect the user to a secure https URL, even if the user is somehow delivered to an insecure http URL. Good work on their part; the rest should do this – implementation cost? Less than 10 minutes of developer and testing time.
Half marks go to the NDP website – if a user gets sent to a secure page but with the http scheme, an error page will come up rather than a redirection (preferable) to the correct URL scheme. Half marks also go to the Bloc site, as only personal information but no financial information is gathered on an insecure page, before being redirected to a Desjardins Securities hosted payment site. That site will only allow a secure connection over https.
The Loser: The Conservative Web site not only will allow sensitive data to be collected over an insecure http connection, the front and main pages of the site currently direct the user to the insecure page!
Conservative Party – Misplaced Security
In what appears to be a trend, the CPC website ranks dead last in the Internet security category, following yesterday’s dead last finish in the accessibility category.
The CPC site can deliver a secure transaction, but, so far as of day 4 of the campaign, if you go to the donate or membership page off the action center links on the “home page” of the site, you’ll be taken to a completely insecure page.
False assurance
As well, the donation primary page has links which lead to insecure pages where credit card information is taken.
This state of affairs is totally unacceptable, and its likely not to get fixed until an observant user or the press get wind of this.
Fortunately, the fix is easy. A few links need to be changed from http://... to https://...
But this type of error should never sneak through these days. Come on folks, its not that hard to test what scheme your site visitor is coming to you on. Check the request URI for https at the start of the string, and if its a regular http connection, redirect them with a URI using the proper, secure, scheme. In doing so you’ll not only prevent linking errors on your own site but also avoid potential security problems caused by external links back to your site.
Other problems noted:
- In testing I set up a potential new member, electing the single year 10$ membership fee and nothing else; despite this, the site insisted that I was going to donate $100.00. Eventually, after I did some browser gymnastics, this unintentional donation amount was cleared; most people would just give up.
- Once you get onto the secure site, the home link doesn’t take you “home” – it keeps you on the secure donation page, leading to a frustrating experience for your most loyal of site visitors. Treat them better!
These errors and mistakes sneaking through to a production site speak to a complete lack of testing on the part of Conservative Party site designers and programmers. There are no excuses for this lack of care.