TSA - Not Living Up to Its Middle Name. The Transportation Security Administration is extending an olive branch to airline travelers who have been delayed or prevented from boarding a plane on account of their name matching an identical one on the agency's "no-fly" list. The TSA recently created a Web site designed to help disgruntled detainees clear their name. However, the would-be passenger must supply some personal data, including date and place of birth, as well as identifying numbers for a driver's license, birth certificate or passport.
This could be a useful service. But TSA is not living up to its middle name - Security. TSA and the contractor that built the site have overlooked a key piece of cyber protection. The site requests a lot of personal information. When a person clicks on "submit form," it transmits an individual's data to TSA without the benefit of the secure data transfer offered by secure sockets layer. In a site secured by SSL, a Web address begins with an "https://" rather than "http://".
Consider what this means for a passenger who is stewing in the airport terminal after missing his flight because a TSA screener confused him with that other Robert Johnson on the TSA's special list. The good Mr. Johnson is told he can try to prevent this misunderstanding from happening again if he submits data requested by the travel identity verification site. He pops open his laptop, hops on the airport terminal's wireless network, completes the form and clicks "submit." Meanwhile, a digital terrorist on the other side of the terminal has just captured the data Johnson submitted because it was sent without SSL.
A tip o' the hat to Chris Soghoian, the boarding pass hacker who spotted this latest transportation security foible.
Noted cryptologist and security expert Bruce Schneier is fond of saying that so much of the Homeland Security Department's protections are "security theater." He says they are constructs designed not necessarily to make us more secure but rather to make us feel more secure. I think that aptly captures much of what is sold to the public in the name of physical and Internet security. But a security device should at least adhere to the physician's motto -- to do no harm.
Update, 9:10 a.m.:Some folks have written in to say they've seen the site offer an SSL certificate but that it warns of a certificate error. If you navigate to the submission form from the main page by clicking on the Traveler Identity Verification form link, it takes you to this page, which offers two links to the same form -- one beginning in "https://" (the link at the top), and another one halfway down the page that does not offer the SSL certificate.
Those commenting so far were visiting the site in Firefox, but when I visit the SSL page in Internet Explorer 7, it gives me a warning page that says "There is a problem with this Web site's security certificate. We recommend that you close this webpage and do not continue to this website."
[Security Fix]
7:31:50 PM 
|
