posted by mrcoolbp on Saturday April 18 2015, @01:57AM
from the executive-material? dept.
from the executive-material? dept.
Paul Schreiber blogs about the tech behind the websites of presidential candidates. "So, you want to run a country. Can you hire someone who can run a website? ...Here's how the (declared) candidates' sites fare." There's a table comparing 4 candidates' sites based on HTTPS, URL permutations, IPv6, SSL rating, and other related qualities. Schreiber mentions that he will "update this as more candidates declare or sites change."
From the blog comments
HillaryClinton.com was using IIS (and no https) until Sunday morning, when they switched over.
This discussion has been archived. No new comments can be posted.
The Website Tech of Presidential Candidates Compared | Log In/Create an Account | Top | 53 comments | Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 2, Troll) by M. Baranczak on Saturday April 18 2015, @02:37AM
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @02:49AM
What's wrong with WordPress?
(Score: 4, Insightful) by VortexCortex on Saturday April 18 2015, @04:41AM
What isn't wrong with wordpress? I can crack any wordpress 6 ways to Sunday, it's written in PHP (and so are all of its themes and plugins) and the coding is atrocious. The developers are asshats and don't like it when you tell them they're wrong. They have a huge case of "not invented here" syndrome and so they remain bug ridden and insecure as fuck -- Typical of nearly any PHP project. The same goes for phpBB, et. al.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @11:58AM
> don't like it when you tell them they're wrong.
Because everybody else just loves that!
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @01:40PM
hey, I think you just broke the fourth wall there. That was very much out of your character compared to your regular posting personality.
(Score: 1, Informative) by Anonymous Coward on Saturday April 18 2015, @02:45AM
What's wrong with using IIS? Modern versions are very capable and robust.
(Score: 4, Funny) by Tork on Saturday April 18 2015, @03:05AM
Slashdolt Logic: "25 year old jokes about sharks and lasers are +5, Funny." 💩
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @03:13AM
Are you trying to be funny?
(Score: 2) by kaszz on Saturday April 18 2015, @10:30AM
No, he tries to show that operating systems from Microsoft puts the user in impossible situations and generally causes problems than need not to be. So one should not use it.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @12:02PM
You've been Poe'd. Read the last sentence again.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @12:26PM
Once upon a midnight dreary,
while I pondered, weak and weary,
Over many a quaint and curious volume of forgotten lore,
While I nodded, nearly napping,
suddenly there came a tapping,
As of some one gently rapping,
rapping at my chamber door.
"Suck my rock hard cock you dirty skanky whore!"
(Score: 5, Insightful) by bzipitidoo on Saturday April 18 2015, @03:34AM
The article declares that all sites should be built over https. Why? We can still use ftp to download Linux kernels and other such things for the very good reason that it is broadcasting to the public, and there is no private communication involved. Saying all websites should use https is like saying all sources of radio signals, from cell phones to radio stations, should encrypt their signals. Yes to cellphones encrypting their signals, no to radio and TV stations needing to do that.
Https is appropriate for parts of the websites, like the campaign donation buttons. But for just stating positions and policies, https is unnecessary, and even a little detrimental.
(Score: 5, Insightful) by Jeremiah Cornelius on Saturday April 18 2015, @03:49AM
We need HTTPS everywhere, normative, all the time.
People should recoil at exposed HTTP the same way they refrain from Telnet vs SSH.
Ask the security researches that look at how HTTP streams are hijacked and injected on ad networks - one of the most prolific vectors for ordinary pwnage of personal computers. These were all thwarted by HTTPS.
You're betting on the pantomime horse...
(Score: 2, Interesting) by Anonymous Coward on Saturday April 18 2015, @04:02AM
HTTPS totally falls apart because the CA system is fucking broken.
You keep going on and on about security, but you totally ignore one of the biggest goddamn security flaws out there.
(Score: 2) by kaszz on Saturday April 18 2015, @10:37AM
It's better than nothing security. A quick fix using an existing standard.
(Score: 2, Informative) by Anonymous Coward on Saturday April 18 2015, @12:50PM
No, it's worse. It offers no real security, but tricks people like you into thinking it offers security. A false sense of security is worse than no security. A false sense of security combined with no security is even worse than that.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @03:49PM
It absolutely offers some security. The NSA and other agencies with compromised CAs are not the only threat out there. Other threats include ISPs fucking with the data stream like adding supercookies to make every request trackable [forbes.com] and injecting ads or malware [arstechnica.com] and snooping on all your browsing to build a profile they can sell to the highest bidder. [arstechnica.com]
The perfect is the enemy of the good. Quit being an enemy of the good.
(Score: 1) by Fauxlosopher on Saturday April 18 2015, @06:10PM
The good can also be tools of evil if people are satisfied with the so-called good and forget to deal with the evil.
Sure, use HTTPS/encryption in cases where it makes sense to do so - but do NOT forget that the evil must still be dealt with. Keep looking for an opportunity to destroy the evil at the root of the problem.
If all encryption were 100% unbreakable by anybody, you'd still be exposed to powerful metadata analysis by the criminals in the NSA, et al.: "We kill people based on metadata [rt.com]." -Michael Hayden, former CIA and NSA director
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @02:16AM
> The good can also be tools of evil if people are satisfied with the so-called good and forget to deal with the evil.
Yeah, yeah, yeah. We've already been down that path in this same thread. Thanks for regurgitating:
>> The NSA and other agencies with compromised CAs are not the only threat out there.
> If all encryption were 100% unbreakable by anybody, you'd still be exposed to powerful metadata analysis by the criminals in the NSA, et al.:
(Score: 0) by Anonymous Coward on Sunday April 19 2015, @08:17AM
I'll consider it just as soon as people stop implying that the use of known-broken cryptosystems is some sort of panacea, then getting indignant when the brokenness is brought up by others.
(Score: -1, Troll) by Anonymous Coward on Saturday April 18 2015, @04:00AM
It's a hipster thing. They're all rah-rah-rah for HTTPS these days.
(Score: 1, Interesting) by Anonymous Coward on Saturday April 18 2015, @06:53AM
No, it's because the more encryption there is, the harder it will be for the government to tell 'important' communication from 'unimportant' communication, thereby providing some cover for those that need encryption the most.
(Score: 5, Informative) by FatPhil on Saturday April 18 2015, @08:01AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Interesting) by btendrich on Saturday April 18 2015, @12:40PM
The same way you don't know that they broke into your house and replaced your laptop with one that will eat your children... The NSA is one of the few technically impressive pieces of the government left (just look at what NASA just let happen!). If they want your stuff bad enough, they will probably get at it. Although I do agree that HTTPS is a nice way to avoid being the low hanging fruit.
(Score: 3, Insightful) by bzipitidoo on Saturday April 18 2015, @04:32PM
No, excessive security is insecurity. People do not take security as seriously when it is unnecessary and people see that. Further, there is the false positive problem. Unnecessary security is very bad when it denies access for an invalid reason. For https, I've had the browser pop up the scary warning messages about invalid certificates that actually were perfectly valid. It happened because I was on an old computer that could not save the current date because the CMOS battery was dead, and the browser believed the system about the date being Jan 1, 2000. If the site had not insisted on https, I would not have been troubled with that false positive. Instead, I was presented with the demand to add a totally unnecessary security exception before being allowed to view the site. I've commented on Firefox bug reports about this problem.
As to your questions, how do you know the NSA hasn't hacked the Linux distro's website and substituted a CD install image with back doors, complete with md5 and sha256 sums, and valid digital signatures? Or, that the NSA didn't strike further upstream, and break into the source code repository of openssl, or Apache, Firefox, bind, dnsmasq, bash, xterm, getty, or the Linux kernel itself, to add a back door? No need to crack https to do that. When you focus on unnecessary https, you divert resources from real security threats. https has its place, but let's not overuse it. And definitely don't try to implement the evil bit.
For example, very few people use SELinux, because it's a pain to administer, and doesn't do much to add to the security. I was always having to add permissions so that this vital utility and that vital utility could function. An insider can still compromise an SELinux box. (Admittedly, guarding anything against insiders is pretty well impossible, but the point here is that SELinux sort of tries to do that.) SELinux's coverage is very narrow, too narrow. It will not stop an exploit that does not touch or care about the underlying OS. Most attacks use some other vector, such as a browser. NoScript is more important and better security than SELinux, but it is still a hassle to use, have to constantly add to its whitelist.
(Score: -1, Offtopic) by Anonymous Coward on Saturday April 18 2015, @03:43AM
I was just reading a journal entry [soylentnews.org] by my dear friend Ethanol-fueled.
He talks of "one of those big lock thingies hanging from his doorknob" that he saw on a vacant house.
I've seen those on doors before, but I have never understood how they work. Can anyone explain this?
What is the proper name for those things, too?
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @04:20AM
You've missed the point of the gadget.
Though it looks like a giant padlock, the point is that the thing is HOLLOW.
It is called a Realtor Lockbox [google.com]
Inside the thing, there is a key to the property
Each realtor has a master key or a combination that opens the box.
That way, each realtor doesn't have to carry 100 keys to show 100 properties.
(Score: 1, Troll) by aristarchus on Saturday April 18 2015, @05:25AM
My god, my estimation of Ethanol, and others of his ilk, has just fallen beyond recovery. It is almost like when the Insane Clown Posse admitted they had no idea how magnets worked. Is it actually possible for human to be this stupid? Or more to the point, is it possible that humans cannot know they are revealing just how stupid they are, with a computer, over a computer network? I smell a patent violation here, along with the teen spirit. Curt Cobain:"Here we are now, entertain us; we feel stupid, and contagious!"\
(Score: 2, Insightful) by Anonymous Coward on Saturday April 18 2015, @12:53PM
Nobody knows how magnets work. Not even physicists and electrical engineers. We can describe what we've observed about them and how they interact with each other and with other matter, but we still don't truly understand how they work.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @03:35PM
We know how they work.
We just don't know why they work.
It's probably god. Just not the ICP's ultra-christian version of God.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @07:09PM
There's absolutely zero reason to even think a god exists, let alone think that it makes magnets work.
(Score: 3, Insightful) by Leebert on Saturday April 18 2015, @01:37PM
Drifting off-topic, but as a quick PSA: The better term is "real estate agent". You don't have to be a Realtor® to be a real estate agent any more than you have to be a CISSP to be a computer security expert. It's just a trade group that does a lot of marketing and lobbying. And the lobbying is (surprise!) not always in the best interest of the general public.
(Score: 4, Interesting) by Fauxlosopher on Saturday April 18 2015, @03:53AM
It seems silly to me to complain about websites that host non-sensitive content and lack HTTPS capability. Last I'd checked, most/all major browsers threw a warning if a website used a self-signed certificate (or worse: e.g. the Mozilla dunderheads changed Firefox to pitch a hysterical temper tantrum by default), and the trustworthiness of the Certificate Authority system is completely compromised in that, in just one example, every CA based in the USA is subject to the NSA's gag-ordered National Security Letters. Most businesses comply with NSLs rather than fight or shut down business like Lavabit did [theguardian.com].
As-is, the owner of a simple website that doesn't handle sensitive information, who understands the broken nature of the CA system and doesn't want to rely on it, is basically stuck between a rock and a hard place. If he chooses to use self-signed certificates, users are shown pointless "suspicious" warnings which will drive some away. If he uses a compromised CA (which potentially includes all of them), he's just participating in security theater. If he takes the simple approach and just sticks to unencrypted HTTP, some self-important idiot is likely to point ignorant fingers and start keening about "unsecure sites".
Certificate pinning can help, but neither that nor private/democratic webs-of-trust will work properly in front of an average user faced with the stupid default browser behavior currently in vogue.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @04:06AM
To quote a great computer scientist,
(Score: 2) by Tork on Saturday April 18 2015, @04:21AM
Slashdolt Logic: "25 year old jokes about sharks and lasers are +5, Funny." 💩
(Score: 3, Informative) by Fauxlosopher on Saturday April 18 2015, @04:32AM
There are many things HTTPS protects against (and yes, it does protect against the situation in your example). If any of those are important to you or your website, then use HTTPS on your site.
The point of my previous post was that HTTPS is by no means a panacea, particularly in its current form of foolishly-paranoid broswer defaults and CAs compromised by criminal governments.
(Score: 2) by isostatic on Saturday April 18 2015, @09:30AM
With self signed certificates it only partially protects. If you've been to the site before, you'll know if there's a MItM attack. Unless te certificate has changed on the server. If you haven't you'll think your secure but won't necceraarily be.
Unlike with SSH, where I know of the very should have chaned, and I log in for the first time when connected on a secure network, with https there's arguably too many false positives from self signed Certs.
(Score: 1) by Fauxlosopher on Saturday April 18 2015, @06:01PM
Using HTTPS with self-signed certificates is equivalent to using SSH with default key generation and settings.
In both cases, a new visitor/user does not generally have foreknowledge of the site's cryptographic fingerprints, and a man-in-the-middle attack is possible when the user lacks that knowledge.
The single reason for more "false positives" with HTTPS versus SSH fingerprints is that the typical default expiration dates set for HTTPS certificates are set a year or so out, versus no expiration dates for SSH credentials. I can think of no practical value to creating an HTTPS certificate with an expiration date (or, since I recall openssl demanding an expiration date, an expiration time closer than decades into the future) other than to generate revenue for "official" CA businesses that want to sell you a new certificate every year.
Unix-like servers store both types of credentials in the same manner (files on disk), so if you have no problem with servers using SSH, you should have no objection to servers using self-signed HTTPS certificates that effectively don't expire.
(Score: 0) by Anonymous Coward on Monday April 20 2015, @03:25AM
And if you want that level of security, browsers are finally offering a way to do it with HTTP opportunistic encryption. The browser vendors have decided that putting "HTTPS" in the URL means that some external authority (either a CA or the NSA ;) has verified that the server really is the right one for the domain.
I really have to ask... do people actually use SSH without verifying host keys? I guess I do for servers like GitHub, but for the vast majority of the servers I have access to, I verify the host key locally (or over a wired LAN at least) before using it over the internet.
(Score: 1) by Fauxlosopher on Tuesday April 21 2015, @12:45AM
And therein lies the rub. SSH and HTTPS credential verification are handled in the same fashion, and there's some level of required trust for the vast majority of users who do not have physical or local-network access to the servers they want to use encryption with.
The NSA and CA system are known threats/weaknesses as far as credential verification systems go, so the existing HTTPS-with-CA system can't be pointed to as a proper "existing solution".
Other private alternatives or methods exist, such as "Perspectives" and "Certificate Patrol" as early examples. Some combination of widespread democratic verification and certificate pinning systems are likely going to be required in functional solutions.
(Score: 1) by Fauxlosopher on Saturday April 18 2015, @04:39AM
As an addendum to my previous reply [soylentnews.org] to your comment:
If you have criminals in your ISP and government, the proper fix is not to point fingers and blame at website owners who are not using a mostly-broken security system.
The proper fix is to seize the criminals and punish them after following due process.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @12:21PM
Wishfuil thinking and absolutism go hand in hand.
Meanwhile in the real world, real engineers are focused on practical solutions that can get results today, not theoretical results in a theoretical perfect world.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @09:56PM
HTTPS as-is does not "get results" today, which was the point originally being made.
While there are limited use cases where HTTPS as-is does offer some benefit, those benefits are overshadowed by the system's brokenness.
People pointing to as-is HTTPS as a "practical solution" are lazy, ignorant, or working for the NSA.
(Score: 2) by maxwell demon on Saturday April 18 2015, @03:36PM
"Hey, the door you installed me has no lock!"
"So what? If you have criminals in your neighbourhood, don't blame the people not installing locks on doors. Catch and punish the burglars!"
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by Fauxlosopher on Saturday April 18 2015, @06:37PM
If you believe that your likely-typical door locks and deadbolts are the things that keep criminals out of your house, you are sadly [youtube.com] mistaken [youtube.com]. Locks are used to deter the drunk/confused from ending up in your living room instead of on your porch, or to act as a different type of doorbell to let you know that you need to grab your shotgun instead of your pants.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @07:11PM
Well, I have all-metal doors and all the windows also have metal bars. That should slow down the fuckers.
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @07:21PM
I was going to agree with you, but frame is typically the weakest spot. Here's a solid wooden door set in a metal frame [youtube.com], and it does take a significant amount of work to get through. Proper frame and door reinforcements can make forced entry effectively impervious to humans lacking power tools [youtube.com]...
... but then there's nothing stopping someone from using a buzzsaw to simply cut a new doorway in a wall, or driving a tank into your house.
Nonetheless, taking simple and inexpensive steps to reinforce entryways can help keep the home's owner from being low-hanging fruit for criminals.
(Score: 2, Insightful) by Anonymous Coward on Saturday April 18 2015, @05:50AM
In the past, there were complaints about not indicating which parts of the original article were lifted intact.
Since then, I have made additional effort to carefully use the blockquote tag.
Undoing the effort I put into my submission takes us back to where we started, months ago.
(Score: 2) by Yog-Yogguth on Saturday April 18 2015, @03:23PM
No moderation points right now so I'm commenting to give the AC more visibility in case it is needed (I'm not sure it is). Parent comment is “0 Insightful” at the moment.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 0) by Anonymous Coward on Saturday April 18 2015, @07:15AM
A pretty lacking comparison I say. Funny idea though.
(Score: 4, Insightful) by FatPhil on Saturday April 18 2015, @08:51AM
On standards, complance, validator.w3.org says:
https://www.hillaryclinton.com/ 6 Errors, 4 warning(s)
https://www.tedcruz.org/ 13 Errors, 12 warning(s)
http://randpaul.com/ 19 Errors, 5 warning(s)
https://marcorubio.com/ 44 Errors, 16 warning(s)
Hooray for the new more-semantically meaningful HTML5, which lets webpage designers prove that they're *still* clue-resistant retards. Insert Erik Naggum quote to taste.
And here's a vague usability/accessibility measurement, based on my (w3m+images) and my g/f's (lynx) entirely subjective views:
https://www.hillaryclinton.com/ decent in w3m, decent in lynx. 2nd link in page is for spanish and that works with no cookies.
https://www.tedcruz.org/ pretty shitty in w3m, 403 Forbidden in lynx. No link for spanish.
http://randpaul.com/ pretty decent in w3m, pretty decent in lynx. No link for spanish.
https://marcorubio.com/ pretty poor in w3m, pretty poor in lynx. No link for spanish.
Maybe someone would like to measure (cache-cleared) page load times for each of the front pages. With and without JS, preferably.
Which reminds me - do any of the pages load *any* content (particularly CSS or JS) from third-party sites? If so, all the https vs. http debate is futile, content on that page is not guaranteed to be what the parent page thought it was putting on the page. And therefore https was pretty futile.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Interesting) by Anonymous Coward on Saturday April 18 2015, @12:19PM
The level of spanish-unfriendliness is probably ideological, not technical. The republican base - the most extreme ones who are the only ones who vote in primaries - simply does not like teh brownies. I fully expect that each republican candidate has done focus groups and found that putting a spanish version up will piss off more of their base than it will draw in spanish-speaking voters.
(Score: 3, Informative) by kaszz on Saturday April 18 2015, @10:58AM
* Hillary Rodham Clinton
* Jeff Boss
* Vermin Supreme
* Robby Wells
* Ted Cruz
* Rand Paul
* Marco Rubio
* Mark Everson
* Jack Fellure,
* Terry Jones
* Zoltan Istvan
The comparison was probably limited to candidates with most money and connections. But out of the four evaluated, Hillary Clinton and Rand Paul seems to be the candidates with a site done with the most competence. w3m and lynx is quite good tool to weed out the most incompetent ones.