A cursory look at Change.gov and MyBarackObama reveal enough amateur mistakes to make even the most ardent supporters wonder just who in the heck is in charge of security. For one, the content management system for both of the sites is easily accessible to anyone. And as far as we can tell, neither page is protected by secure sockets layer — the "s" following a web address's "http" that assures you the connection is encrypted.
Security 101 would dictate that pages this sensitive should be restricted to select internet protocol addresses, or at the very least, encrypted to prevent so-called man-in-the-middle attacks. There are no such protections on Change.gov or MyBarackObama, the latter suggesting that this lack of attention to security has been allowed to persist for some time now.
The failure of Obama's webmasters to follow anything remotely like best practices is more than a little troubling because it suggests they don't fully grasp the security realities of living in a Web 2.0 world.
Tuesday, November 25, 2008
Barack Obama weak on (Internet) security
From The Register:
Posted by James Tags: Barack Obama