AnsweredAssumed Answered

A US presidential campaign is citing SSL Labs ratings for their site; STOP LETTING HTTP GET 'A' RATINGS

Question asked by Dave Garrett on Mar 26, 2015
Latest reply on Mar 27, 2015 by Dave Garrett

https://twitter.com/csoghoian/status/580109826727907328

https://www.vox.com/2015/3/23/8277131/ted-cruz-ssl-nigerian-prince

 

A Ted Cruz campaign spokesman responded in an email statement: "The donate form embedded on TedCruz.org has SSL. All donations are and have always been secure. Our website earns an A-grade for its SSL."

 

TedCruz.org is HTTP, with HTTPS support that is not used by default. HTTPS actually redirects to HTTP, unless the "www" is dropped, then it's 404, but if you use HTTPS and go to "donate/" then HTTPS works (with SPDY 3.1). The form was previously over HTTP, now HTTPS after complaints. The donate.tedcruz.org domain currently appears to be HTTPS only, though no HSTS.

 

SSL Server Test: tedcruz.org (Powered by Qualys SSL Labs) -> rated 'A' as of 2015-3-26 (HTTPS currently only redirects to HTTP)

SSL Server Test: donate.tedcruz.org (Powered by Qualys SSL Labs) -> rated 'A' as of 2015-3-26

 

This is stupid. Qualys is literally being cited to the news on behalf of a high-profile US senator running a presidential campaign. (weirdly early start, but whatever) By giving this crap an 'A', you are endorsing the legitimacy of considering a total lack of security to be a valid option to be considered secure. It's contradictory nonsense.

 

As I previously posted, there are even sites with critical personal information that allow dangerous usage of HTTP for logging in, namely CVS.com (a major US pharmacy chain).

Sites should not be able to use HTTP & pass the HTTPS test

 

This is not an enhancement request. Continuing to do this makes me consider this test to be illegitimate. I personally send Qualys traffic via including this service as a default action in the Flagfox extension for Firefox, and by recommending Mozilla bug testers & reporters use this service when diagnosing & reporting connection issues for the bugs tracked for breakage/whitelisting due to attempts to drop SSL3, RC4, & insecure fallback support by Mozilla. (I am the developer of the Flagfox extension and am the creator of the Mozilla meta-bugs to track broken sites for Firefox's attempt at phasing this crap out ASAP)

 

All domains serving HTTP that do not immediately redirect to HTTPS must receive a failing grade on this test for it to have any meaning. (HSTS is of course preferred, but at minimum don't serve content with zero security) You are actually hitting non-tech news with your ratings, now. Please make them correct.

 

(Edited to update bizarre HTTP<->HTTPS domain redirect status)

Outcomes