nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

You think Donald Trump is insecure? Check out his online store

Yuge security flaws, the best kind of security flaws, guaranteed incredible flaws

By Kieren McCarthy, 1 Aug 2016

Updated Republican presidential nominee Donald Trump has been widely and repeatedly mocked for being thin-skinned; something not helped by his compulsive need to insult anyone who criticizes him.

But if you thought The Donald was insecure, just check out his online store at DonaldTrump.com.

Despite being an alleged billionaire and having the backing of millions of supporters, it seems that those behind the official Trump site haven't grasped basic web security.

The online store at shop.donaldjtrump.com offers all sorts of Trump-inspired merchandise, from "Make America Great Again" hats for $25, to rally signs and pennants, to a Trump-Pence dog coat for a mere $15.

What you won't find, however, is an HTTPS-secured connection.

That's right, despite having installed a valid SSL certificate for the main Donald Trump website and his donations sub-domain, for some reason the online store is happy to spill out all of your personal and credit card details in plain text across the internet via good old HTTP. If you attempt to use https://shop.donaldjtrump.com, you'll be pushed back to unencrypted HTTP on the next page.

For a man who has made great play over the alleged lack of security around Hillary Clinton's private email server, you would expect a little more protection for those souls who want to pay a billionaire more money to have items with his name emblazoned on them.

The big question now is: will WikiLeaks supply all those personal details, as they did with donations to the Democratic party? Or does its exploitation of ordinary voters' information only extend to candidates and parties that Vladimir Putin doesn't approve of?

And before you ask, yes, Hillary Clinton also has an online store, and yes, it is secure. ®

Updated to add at 2235 UTC

Trump's store is now using HTTPS by default – albeit a mix of HTTP and HTTPS, which is still insecure but better than nothing. In this small victory, it was El Reg wot won it.

The Register - Independent news and views for the tech community. Part of Situation Publishing