Problem ID: 3264092321534100092
Entered by: Ben Simo

Healthcare.gov includes resources which are not secure

While completing an application on Healthcare.gov, I noticed my browser warning that something in the secure application was being transmitted over the Internet without encryption.

I then check each of the requests being made on the site and discover that there are repeated requests being made to a REST service named login. Thankfully the request contains no personal information. It does contain an application ID (which is also sent to 3rd party web analytics companies) -- an ID that I hope isn't personally identifiable on its own.

This request is then redirected to occur over SSL and fails to complete. I've also seen this same request made without encryption on the user profile page.

While this doesn't appear to reveal any personally identifiable information, it is concerning that the site is sending anything without encryption. After previously encountering a case in which HC.gov sent my username without encryption, this is just one more warning that the site should not be trusted.

Although sending an application ID over the Internet without encryption may be benign, it does serve as a denial-of-trust attack.



Post a Comment