As the spectacle that is the 2016 U.S. presidential primary season continues to unfold, candidates from all sides of the political spectrum are united in their widespread use of their own Websites to educate voters. Although all the candidates have Websites, not all are equal from a security perspective.
So who among the remaining crop of candidates has the most secure site?
Alex Heid, chief research officer at SecurityScorecard, has an answer. According to Heid’s research, Republican front runner Donald Trump’s Website ranks tops in terms of security while Democratic front runner Hillary Clinton’s leaves much to be desired. Heid’s analysis looked at the Trump, Cruz, Clinton, Sanders and Kasich campaign Websites.
SecurityScorecard develops and sells a service that can rate the security of an organization, as measured by a number of external facing attributes. In February, the company launched a new capability that enables visibility in the security of third-party suppliers. The risk for many organizations isn’t always in their own infrastructure, but rather in the shared components that are pulled in from third-party suppliers.
Heid emphasized that the SecurityScorecard analysis of the presidential candidates’ Websites did not involve any invasive penetration testing but, rather, is based on passive analysis.
“With the political Websites, we’re able to get information just by looking at the IP addresses and by viewing the source code of the given Website,” Heid told eWEEK.
Many modern Web browsers still enable any user to simply click “view source” to see the source code for a given site. By looking at that code, it’s possible to determine what content management system (CMS) and what plug-ins are in use.
“We’re simply analyzing what is beaconing out—what anyone that knows where to look can find out about a Website,” Heid said.
Heid’s analysis showed some interesting commonality across the presidential candidate Websites. Sites that belong to the Trump, Cruz and Sanders campaigns all use distributed denial-of-service (DDoS) and Web application firewall (WAF) protection from security vendor CloudFlare. The Kasich (johnkasich.com) and Clinton Websites both are hosted on Amazon Web Services, and neither had DDoS/WAF protection service in place.
The Trump Website uses a content management system, which the SecurityScoreCard analysis showed was properly configured, without an exposed administration panel. Trump also uses PayPayl’s BrainTree payment processing system as well the Republican party’s VictoryParty.com payment processor.
“I don’t want to say there were no misconfigurations on donaldjtrump.com; it’s just that everything seems to be good to go from the outside,” Heid said.
In recent weeks, hactivist group Anonymous has publicly declared war on the Trump campaign, though, to date, the war hasn’t brought down the Trump Website. Heid noted that there have been DDoS attacks against the Trump Hotels Website, but the main Trump campaign Website has yet to experience any measurable downtime. Heid credits Trump’s use of CloudFlare for the Website’s ability to withstand potential attacks from Anonymous.
“If you went to the donaldjtrump.com site over the last week or so, as Anonymous kicked off its attacks, there was some lag time, but the site has remained up,” Heid said.
Rating the Security of the 2016 Presidential Candidates’ Websites
Ranked in the No. 2 spot behind Trump among the best security for presidential Websites is tedcruz.org. The Cruz campaign Website, like the Trump site, also uses CloudFlare for DDoS and WAF protection. Instead of using Drupal, the Cruz campaign makes use of the open-source WordPress content management system. While Trump’s Drupal site hides its administrative interface, the Cruz Website has left its administrative portal somewhat exposed, which could represent a potential risk. It’s also easy to determine the specific WordPress template theme, Kleo, that Cruz is using.
“So, for an attacker, it’s just a matter of waiting for a vulnerability to come along,” Heid said.
On the Democrat side, Heid ranks the berniesanders.com campaign Website ahead of the hillaryclinton.com site, though both are behind the Trump and Cruz sites in terms of overall security. Sanders uses CloudFlare security and the WordPress CMS. As was the case with Cruz, the Sanders site had not properly hidden its administrative page.
The Clinton Website, unlike those built by Cruz or Sanders, does not use an open-source CMS, but rather, it is custom built. The fact that Clinton isn’t using an open-source platform doesn’t necessarily make her site less secure, but it does raise some concerns.
“If the open-source CMS is configured properly and hardened, the only way you’ll get hit is by a really potent zero-day,” Heid said. “With a custom site, there are way more moving parts that need to be double-checked.”
With a commodity CMS, such as the open-source Drupal and WordPress applications, large communities of people are constantly looking for security issues and making it better, Heid said.
“With a custom CMS, you’re just hoping that the developers have crossed all the t’s and dotted all the i’s.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.