http://www.computerbytesman.com/security/bush-v-kerry.htmHome > Internet Security > Bush v. Kerry
By Richard M. Smith of www.ComputerBytesMan.com
June 27, 2004
To rate George Bush and John Kerry on the Homeland Security issue, I just completed two quick security audits of the official Bush (
http://www.georgewbush.com/) and Kerry (
http://www.johnkerry.com/) campaign Web sites. Unfortunately, I found problems at both Web sites.
Here are the results of my testing so far:
Both the Bush and the Kerry Web sites have cross-site scripting errors (XSS). These errors can allow a prankster to create fake Web pages which load from the Bush or Kerry Web sites but additional content can be supplied from a different Web server belonging to a prankster. A prankster could then say anything they want on a Bush or Kerry Web page using a XSS error. Examples include fake news stories, slogans telling visitors to vote for the other candidate, and doctored photos of a candidate.
The Bush Web site has hired a company called Omniture to track users at the Bush Web site. Omniture uses hidden Web bugs to do this tracking. Perhaps this Web site feature was requested by John Ashcroft? ;-) This relationship with Omniture is not spelled out in the Bush Web site privacy policy. For more about information about Omniture, check out their Web site at
http://www.omniture.com/company.html. Both the Bush and Kerry Web sites encourage visitors to add banner ads for the candidates to their own Web pages. The Bush banner ad uses JavaScript supplied from the Bush Web server (See
http://www.georgewbush.com/WStuff/BPAdFeed.aspx). The Kerry banner ads use an embedded IFRAME (See
http://www.johnkerry.com/download/promos.html). Both banner ad schemes allow the campaigns to track visitors to any Web pages where the banner ads appear. In addition, the Bush JavaScript scheme allows the Bush Web server to run any script code inside of other people's Web pages. This scheme doesn't strike me as a very good idea from a security standpoint.
It appears that the open source vs. closed source debate has also entered the presidential campaign. The Kerry home page comes from an Apache Web server running on a Red Hat Linux box. The Bush Web site on the other hand is hosted on a more corporate Microsoft-powered IIS 5.0 server and uses ASP.NET. I did not check to see if this IIS server is up to date with Microsoft security patches.