The homepage for Southwest Airlines loads over plain, unencrypted HTTP, and has form fields to book a flight, check-in, check flight status, change a flight, which all POST to unencrypted HTTP endpoints.

There’s a lot of bad things you can do with a confirmation number and full name. If that’s all Southwest requires to change a flight or check-in and obtain a boarding pass, when someone intercepts your details on a public wi-fi network, they can do a whole lot of damage to your travel plans.

The homepage also has a login form which does POST to HTTPS, but it’s still insecure for reasons covered many times in previous posts: when a form loads over HTTP, modified HTML or malicious JavaScript could be loaded to intercept the data or change the POST destination.

For all this post-9/11 security theater, one would think that a website that issues travel documents would use SSL to begin the issuance of such travel documents. But you would be wrong at Southwest Airlines.

Southwest was shamed three years ago on the FlyerTalk forums for not using SSL in critical areas; nothing appears to have changed. As highlighted in that forum, Southwest has a policy of placing the onus of security on the user, which is all sorts of wrong:

“Southwest Airlines is not responsible for lost, stolen, or otherwise disclosed passwords. Southwest will not replace points or awards that are generated or redeemed as a result of unauthorized password activity.”

Southwest was then shamed by a security researcher who went to local news stations to report his findings that Southwest’s iPhone app apparently transmits personal information insecurely over HTTP, too. Southwest’s response: zilch. They didn’t return calls to the security researcher for two months, and they didn’t respond to requests for comment from the news station.

When purchasing a ticket on Southwest, the specific flight selection and any disability information is all transmitted over plaintext, unencrypted, unprotected HTTP.

Not to spread fear here, but it’s a well-established fact that individuals with disabilities are often targeted for crimes like theft and sexual abuse. And here, Southwest forces passengers to advertise over insecure and unencrypted HTTP exactly what disabilities they have, what assistance they need, and even if peanuts can kill them – and this is after flight selection, which means there’s a specific date, time, location, and flight number attached:

And to add more more nail to the coffin, Southwest does not let you use any special characters in your password:

I think it’s clear Southwest Airlines has no interest in protecting the security, privacy, and safety of their customers and passengers, and further has no interest in protecting aviation security. There is no reason why an airline website should not be 100% encrypted SSL.