Today, Hillary Clinton announced that she’s running for president. She also launched a new website.
Over the next year, political pundits will spend far too much time dissecting the horse race, scandals (real or imagined), the electoral college and more polls than you can shake a stick at. I’m doing none of that. I’m just looking at websites.
So, you want to run a country. Can you hire someone who can run a website? These days, that means all new sites, whether running the government or delivering news should be built over HTTPS.
Here’s how the (declared) candidates’ sites fare:
| Site | hillaryclinton.com | tedcruz.org | randpaul.com | marcorubio.com | Expected |
|---|---|---|---|---|---|
| HTTPS works | ✔ | ish [1] | ✔ | ✔ | ✔ |
| HTTPS default | ✔ | ✖ | ✖ | ✔ | ✔ |
| HSTS | ✖ | — | — | ✖ | ✔ |
| Requires SNI [2] | ✖ | ✖ | ✖ | ✔ | ✖ |
| https site.com | redirects to www | 404 error | works | works | — |
| https www.site.com | works | redirects to http://www.tedcruz.org | works | redirects to https://marcorubio.com | — |
| canonical hostname | www.hillaryclinton.com | www.tedcruz.org | none | marcorubio.com | something |
| SSL Labs rating | A [3] | A | A | A | A+ |
| sha2 | ✔ | ✔ | ✔ | ✖ | ✔ |
| intermediate sha2 | ✔ | ✖ | ✖ | ✖ | ✔ |
| cert vendor | Comodo | RapidSSL | RapidSSL | Comodo | — |
| intermediate cert vendor | Comodo | GeoTrust Global CA | GeoTrust Global CA | Comodo | — |
| cert type | Wildcard | Wildcard | Wildcard | SAN | Wildcard or Standard |
| CDN | Fastly | CloudFlare | CloudFlare | CloudFlare | something |
| Server signature | nginx (hc.com) AmazonS3 (www) |
CloudFlare nginx | CloudFlare nginx | CloudFlare nginx | — |
| Tech | Python (?) [gunicorn 19.1.1 + Varnish] groundwork [4] |
WordPress 4.1.1 | PHP 5.5.9 Ubuntu |
WordPress 4.1.1 | — |
| Registrar | Network Solutions | GoDaddy | Fabulous.com Pty Ltd | GoDaddy | hopefully not GoDaddy |
| Whois Privacy | — | Domains By Proxy, LLC | Whois Privacy Services Pty Ltd | Domains By Proxy, LLC | — |
| Origin IP | ?? | 64.39.8.246 [5] | ?? | ?? | — |
| Origin Server | ?? | Apache/2.2 | ?? | ?? | — |
| Mail server | Gmail | Gmail | Gmail | Gmail | — |
| IPv6 | ✖ | ✔ | ✔ | ✔ | ✔ |
| ESP (SPF) | SilverPOP Systems | Marketo, Sendgrid | Mailgun | VerveMail | — |
| SPF type | TXT | TXT | TXT | SPF | TXT |
| robots.txt | ✔ | ✔ | ✔ | ✖ | ✔ |
| robots details | Disallow: /api/ | Disallow: /wp-admin/ | nothing disallowed | [6] | — |
| Site | hillaryclinton.com | tedcruz.org | randpaul.com | marcorubio.com | Expected |
I’ll update this as more candidates declare or sites change.
Notes
- https://www.tedcruz.org works, but https://tedcruz.org gives a 404 error.
- Sites that require Server Name Indication (SNI), such as this one, are incompatible with a handful of legacy browsers.
- Fastly’s www.hillaryclinton.com gets a score of 90 on key exchange, while the AWS servers (hillaryclinton.com) get a score of 80. The AWS servers also have an extra cert in the chain (signed with SHA1).
- Groundwork appears to be a custom JavaScript web framework. It does not seem to be related to either the I Like Robots Groundwork or Groundwork CSS.
- Likely origin, based on server responses.
- Redirects to https://www.marcorubio.com/landing/stream/.
Updates
- 2:01am EDT: Fixed randpaul.com topline.
- 8:46am EDT: Fixed spelling of spend and fastly.
- 11:33am EDT: marcobuio.com (now) seems to have certs signed with SHA-1.
- 2:27pm EDT: Added robots.txt.
- 2:35pm EDT: Added “Expected” column.
https://builtwith.com/hillaryclinton.com
It returns a lightly different result with yours.
Want to take a look at it?
HillaryClinton.com was using IIS (and no https) until Sunday morning, when they switched over.
Hi Paul,
Just a quick FYI, it’s just “Fastly”, not “Fast.ly”.
Cheers!
Hey, I found that the Hillary Clinto website is hosted by Azure somewhere near/in Brazil(I don’t know exactly) check that record : origin.hillaryclinton.com (191.238.240.12).
Spelling error in the second sentence, spent should be spend. Love the ideas on this page though.
https://builtwith.com/hillaryclinton.com says they’ve built the site with asp.net, you say it’s built with some python framework. What gives?
See my reply to Tuan above. BuiltWith.com hasn’t updated its data.
And how! What a fantastically fun idea. Looking forward to seeing the updates.:)
Very cool! What a great idea. Would be fun to also check which candidates sign their domain with DNSSEC.
Does Hillary get extra credit for the ASCII art in the source?
HHHHHH →→HHHH
HHHHHH →→→→HH
HHHHHH →→→→→→→
→→→→→→→→→→→→→→→→→→→→→→
→→→→→→→→→→→→→→→→→→→→→→→→
→→→→→→→→→→→→→→→→→→→→→→
HHHHHH →→→→→→→
HHHHHH →→→→HH
HHHHHH →→HHHH
Nice comparison :)
One minor detail, tedcruz.org has no correctly cloudflare configured, you can see the real IP for the mail.
http://desenmascara.me/consulta/b727b5a200df329288ef3f64c4f11387
and it has third party services (which at least in Europe is not allowed)
http://ec.europa.eu/ipg/basics/legal/3rd_party_tools/index_en.htm
Regards
Emilio
Great writeup, Paul! I took a similar spin on a few top presidential candidate’s websites to audit their marketing strategy.
You can check it here: http://caseystanton.com/2016-presidential-candidates-political-marketing-review-audit/
@Anthony D Paul – Check out Bernie Sanders’ awesome ASCII too!
Excited for the next update. What’s going on with Bernie Sanders’ site?
Bernie Sander´s site is not bad:
http://desenmascara.me/consulta/14df162e97ff629c311fe62583d9e98d
but hope the worpress is update to the last not vulnerable version
https://wordpress.org/news/2015/04/wordpress-4-2-1/