WTF? Donald Trump’s HTTPS Floored, HTTP/2 Flawed and HSTS Adored
Making ecommerce weak again. This is the week that Donald Trump got his HyperText Transfer Protocols in an insecure twist.
It’s also the week that Google went all Strictly on HTTP’s arse, and HTTP The Sequel got played at Black Hat. We hope you are sitting securely. Let’s kick things off with a bit of Donald Trump. The wannabe President of the USA, sometime reality TV celeb and supposedly shrewd businessman is not short of a buck or billion. Yet none of the above prevented The Donald from making a schoolboy web security error over at his online shop front.
The Register discovered, we won’t ask what it was actually looking to buy in the way of Trump memorabilia, that no matter how you tried to enter shop.donaldjtrump.com you always ended up running an insecure connection. El Reg reporters found that “despite having installed a valid SSL certificate for the main Donald Trump website and his donations sub-domain, for some reason the online store is happy to spill out all of your personal and credit card details in plain text across the internet via good old HTTP.”
Even if you forced a manual ‘https://shop.donaldjtrump.com’ into your browser, The Donald was having none of it and threw you straight back onto an unencrypted HTTP page in short order. Maybe he should have got his ecommerce team to talk to Hillary Clinton who, despite all the claims of email hacking and leaking, has an online campaign shop and somehow manages to use HTTPS secure connections properly.
