Campaign Site Security Followup
Today we have Stars and Dogs awards to hand out. Stars go to the Conservative site team – they’ve noted the error of their ways and have rectified the issues I noted here yesterday.
Dogs are handed out to the folks over at the inappropriately named Conservative Life Forum (folks, get a life) who accuse me of making libelous accusations. I simply have no time to make up issues, as these good (?) folks seem to think I may be doing. The bottom line is this:
- All references to the donation / membership pages suggested security was in place at all times (and insecure pages, as of today, still do make this claim)
- Yes, its true that the personal data collection pages do not have to be secured, but if you are going to infer that they are secure, and have the ability, then why are they not?
- The pages collecting both personal data as well as financial data all suggest the pages are secure. This is not true. In my book, if you say something is secure, you make it secure. Period, full stop. Do not mislead people.
- Finally, and pay attention here because this is important, until sometime late Thursday evening, the page on which Payment Information (credit card data, etc) was collected was linked to from the prior page (via the Proceed button) using http: as a scheme, not https:.
Late yesterday (checked somewhere between 10pm and 1am ET), the Conservative site folks changed that Proceed button to link to the correct URL using the https scheme. However, they did not implement the last of my suggestions, testing the URL string to ensure that it was indeed a https url, until sometime today.
Over on Conservative Life they delight in indignation but manage to get a number of key points wrong.
“ferret” says:
Users can be assurred (sic) that the donation section of the Conservative Party website is 100% secure.
This, dear ferret, is correct, but only as of late Thursday. Until the change and when I wrote the article, the donation / membership pages were completely insecure.
Paul Morrison says:
“As a e-commerce solutions provider, I can assure you that Mike Watkins is completely wrong. [snip] Oh, as another note, there is absolutely no way the Conservative party could have changed all this in a day or less. re-coding a secure data transfer system is not done in a matter of a couple of hours.”
Paul, I never said they didn’t have a secure facility available; I said that, through carelessness, they were not using it. Specifically, I stated:
The CPC site can deliver a secure transaction
Lets net this all out—I discovered that the CPC web site, through carelessness, had exposed data collection forms that were not secure, but easily could be. All that was required, as I stated:
Fortunately, the fix is easy. A few links need to be changed from http://... to https://...
Clearly someone at Party HQ got the message and fixed the issue last night (hooray!), and implemented my second suggestion (bonus points to them):
But this type of error should never sneak through these days. Come on folks, its not that hard to test what scheme your site visitor is coming to you on. Check the request URI for https at the start of the string, and if its a regular http connection, redirect them with a URI using the proper, secure, scheme. In doing so youâll not only prevent linking errors on your own site but also avoid potential security problems caused by external links back to your site.
Meanwhile – you folks over at Conservative Life, particularly the “experts” who ought to know better, get a life. I’m quite prepared to defend my comments, and with almost twenty years in the information technology business, including being involved with the Internet before there were such things as web browsers, you can be sure that I know what I am talking about.
Its not libelous to note an issue and report on it accurately. Somewhere there is a person sitting in a cubicle at party HQ, a technical resource person, that knows exactly what I am talking about, because someone rectified the issues which I observed and triple checked before reporting them here in my weblog.
My point was to highlight carelessness; I trust the Conservative Party, of which I am a member (I was a member of both founding parties too), will work harder at avoiding such episodes. I know I’ll be keeping my eye out on all the campaigns.