TSA Website’s Security Failings
A website created for the Transportation Security Administration for the purpose of allowing travelers to resolve watch-list or screening problems was found to be inadequately secured, causing travelers to inadvertently transmit sensitive personal information in the clear. Most of the website was entirely unencrypted, and the few parts that were secured used self-signed certificates, making it impossible for end users’ software to corroborate the validity of the encryption.
This lack of security resulted from a failure to take appropriate security precautions by the company contracted to create the site. What should have happened here, and what should happen for all websites that handle sensitive data, is oversight by people competent in the area of computer security. Some of the basic aspects of oversight could probably be automated by software crawling the internet.
The broader issue at hand is that most people are largely unaware of how insecure the vast majority of internet communication is. Because of this they are willing to transmit sensitive data like credit card and social security numbers via email, im, or other (typically) insecure methods, without regard to the security implications.
The TSA website that was created insecurely should be revamped with proper security mechanisms put in place. In the medium-term, audits should be mandated for governmental websites to make sure that there are no fundamental failings in the set ups. In the long-term future we should create policies and foster a culture of people that clearly recognize the importance of privacy and the risks of communicating private data insecurely. source: http://arstechnica.com/news.ars/post/20080113-tsa-security-flaws-exposed-users-to-risk-of-identity-theft.html