Presidential candidate website tech, compared

Today, Hillary Clinton announced that she’s running for president. She also launched a new website.

Over the next year, political pundits will spend far too much time dissecting the horse race, scandals (real or imagined), the electoral college and more polls than you can shake a stick at. I’m doing none of that. I’m just looking at websites.

So, you want to run a country. Can you hire someone who can run a website? These days, that means all new sites, whether running the government or delivering news should be built over HTTPS.

Here’s how the (declared) candidates’ sites fare:

Site Expected
HTTPS works ish [1]
HTTPS default
Requires SNI [2]
https redirects to www 404 error works works
https works redirects to works redirects to
canonical hostname none something
SSL Labs rating A [3] A A A A+
intermediate sha2
cert vendor Comodo RapidSSL RapidSSL Comodo
intermediate cert vendor Comodo GeoTrust Global CA GeoTrust Global CA Comodo
cert type Wildcard Wildcard Wildcard SAN Wildcard or Standard
CDN Fastly CloudFlare CloudFlare CloudFlare something
Server signature nginx (
AmazonS3 (www)
CloudFlare nginx CloudFlare nginx CloudFlare nginx
Tech Python (?) [gunicorn 19.1.1 + Varnish]
groundwork [4]
WordPress 4.1.1 PHP 5.5.9
WordPress 4.1.1
Registrar Network Solutions GoDaddy Pty Ltd GoDaddy hopefully not GoDaddy
Whois Privacy Domains By Proxy, LLC Whois Privacy Services Pty Ltd Domains By Proxy, LLC
Origin IP ?? [5] ?? ??
Origin Server ?? Apache/2.2 ?? ??
Mail server Gmail Gmail Gmail Gmail
ESP (SPF) SilverPOP Systems Marketo, Sendgrid Mailgun VerveMail
robots details Disallow: /api/ Disallow: /wp-admin/ nothing disallowed [6]
Site Expected

I’ll update this as more candidates declare or sites change.


  1. works, but gives a 404 error.
  2. Sites that require Server Name Indication (SNI), such as this one, are incompatible with a handful of legacy browsers.
  3. Fastly’s gets a score of 90 on key exchange, while the AWS servers ( get a score of 80. The AWS servers also have an extra cert in the chain (signed with SHA1).
  4. Groundwork appears to be a custom JavaScript web framework. It does not seem to be related to either the I Like Robots Groundwork or Groundwork CSS.
  5. Likely origin, based on server responses.
  6. Redirects to


  • 2:01am EDT: Fixed topline.
  • 8:46am EDT: Fixed spelling of spend and fastly.
  • 11:33am EDT: (now) seems to have certs signed with SHA-1.
  • 2:27pm EDT: Added robots.txt.
  • 2:35pm EDT: Added “Expected” column.

18 Responses to Presidential candidate website tech, compared

  1. Tuan says:

    It returns a lightly different result with yours.
    Want to take a look at it?

  2. was using IIS (and no https) until Sunday morning, when they switched over.

  3. Rogier says:

    Hi Paul,

    Just a quick FYI, it’s just “Fastly”, not “”.


  4. Stan Stanchev says:

    Hey, I found that the Hillary Clinto website is hosted by Azure somewhere near/in Brazil(I don’t know exactly) check that record : (

  5. Pingback: 【今日乐见】Google 卫星能帮你访问那些网站么? – 趣飞拍

  6. Brandon says:

    Spelling error in the second sentence, spent should be spend. Love the ideas on this page though.

  7. Pingback: Links 13/4/2015: Linux 4.0 Released; A Look at Antergos 2015.04.12 | Techrights

  8. Pam says: says they’ve built the site with, you say it’s built with some python framework. What gives?

  9. See my reply to Tuan above. hasn’t updated its data.

  10. teresafinn says:

    And how! What a fantastically fun idea. Looking forward to seeing the updates.:)

  11. Pingback: How hackable are the 2016 presidential candidates' websites? | Fusion

  12. Very cool! What a great idea. Would be fun to also check which candidates sign their domain with DNSSEC.

  13. Anthony D Paul says:

    Does Hillary get extra credit for the ASCII art in the source?

    HHHHHH →→→→HH
    HHHHHH →→→→→→→
    HHHHHH →→→→→→→
    HHHHHH →→→→HH

  14. Pingback: 【今日乐见】Google 卫星能帮你访问那些网站么? | 網路與創業每日必讀

  15. Emilio says:

    Nice comparison :)

    One minor detail, has no correctly cloudflare configured, you can see the real IP for the mail.
    and it has third party services (which at least in Europe is not allowed)


  16. Great writeup, Paul! I took a similar spin on a few top presidential candidate’s websites to audit their marketing strategy.

    You can check it here:

    @Anthony D Paul – Check out Bernie Sanders’ awesome ASCII too!

  17. Jeremy Starn says:

    Excited for the next update. What’s going on with Bernie Sanders’ site?

  18. Emilio says:

    Bernie Sander´s site is not bad:

    but hope the worpress is update to the last not vulnerable version

Leave a Reply

Your email address will not be published. Required fields are marked *