Paul Schreiber blogs about the tech behind the websites of presidential candidates. "So, you want to run a country. Can you hire someone who can run a website? ...Here's how the (declared) candidates' sites fare." There's a table comparing 4 candidates' sites based on HTTPS, URL permutations, IPv6, SSL rating, and other related qualities. Schreiber mentions that he will "update this as more candidates declare or sites change."
From the blog comments
HillaryClinton.com was using IIS (and no https) until Sunday morning, when they switched over.
(Score: 5, Informative) by FatPhil on Saturday April 18 2015, @08:01AM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Interesting) by btendrich on Saturday April 18 2015, @12:40PM
The same way you don't know that they broke into your house and replaced your laptop with one that will eat your children... The NSA is one of the few technically impressive pieces of the government left (just look at what NASA just let happen!). If they want your stuff bad enough, they will probably get at it. Although I do agree that HTTPS is a nice way to avoid being the low hanging fruit.
(Score: 3, Insightful) by bzipitidoo on Saturday April 18 2015, @04:32PM
No, excessive security is insecurity. People do not take security as seriously when it is unnecessary and people see that. Further, there is the false positive problem. Unnecessary security is very bad when it denies access for an invalid reason. For https, I've had the browser pop up the scary warning messages about invalid certificates that actually were perfectly valid. It happened because I was on an old computer that could not save the current date because the CMOS battery was dead, and the browser believed the system about the date being Jan 1, 2000. If the site had not insisted on https, I would not have been troubled with that false positive. Instead, I was presented with the demand to add a totally unnecessary security exception before being allowed to view the site. I've commented on Firefox bug reports about this problem.
As to your questions, how do you know the NSA hasn't hacked the Linux distro's website and substituted a CD install image with back doors, complete with md5 and sha256 sums, and valid digital signatures? Or, that the NSA didn't strike further upstream, and break into the source code repository of openssl, or Apache, Firefox, bind, dnsmasq, bash, xterm, getty, or the Linux kernel itself, to add a back door? No need to crack https to do that. When you focus on unnecessary https, you divert resources from real security threats. https has its place, but let's not overuse it. And definitely don't try to implement the evil bit.
For example, very few people use SELinux, because it's a pain to administer, and doesn't do much to add to the security. I was always having to add permissions so that this vital utility and that vital utility could function. An insider can still compromise an SELinux box. (Admittedly, guarding anything against insiders is pretty well impossible, but the point here is that SELinux sort of tries to do that.) SELinux's coverage is very narrow, too narrow. It will not stop an exploit that does not touch or care about the underlying OS. Most attacks use some other vector, such as a browser. NoScript is more important and better security than SELinux, but it is still a hassle to use, have to constantly add to its whitelist.