Today, Hillary Clinton announced that she’s running for president. She also launched a new website.

Over the next year, political pundits will spend far too much time dissecting the horse race, scandals (real or imagined), the electoral college and more polls than you can shake a stick at. I’m doing none of that. I’m just looking at websites.

So, you want to run a country. Can you hire someone who can run a website? These days, that means all new sites, whether running the government or delivering news should be built over HTTPS.

Here’s how the (declared) candidates’ sites fare:

Site hillaryclinton.com tedcruz.org randpaul.com marcorubio.com Expected HTTPS works ✔ ish [1] ✔ ✔ ✔ HTTPS default ✔ ✖ ✖ ✔ ✔ HSTS ✖ — — ✖ ✔ Requires SNI [2] ✖ ✖ ✖ ✔ ✖ https site.com redirects to www 404 error works works — https www.site.com works redirects to http://www.tedcruz.org works redirects to https://marcorubio.com — canonical hostname www.hillaryclinton.com www.tedcruz.org none marcorubio.com something SSL Labs rating A [3] A A A A+ sha2 ✔ ✔ ✔ ✖ ✔ intermediate sha2 ✔ ✖ ✖ ✖ ✔ cert vendor Comodo RapidSSL RapidSSL Comodo — intermediate cert vendor Comodo GeoTrust Global CA GeoTrust Global CA Comodo — cert type Wildcard Wildcard Wildcard SAN Wildcard or Standard CDN Fastly CloudFlare CloudFlare CloudFlare something Server signature nginx (hc.com)

AmazonS3 (www) CloudFlare nginx CloudFlare nginx CloudFlare nginx — Tech Python (?) [gunicorn 19.1.1 + Varnish]

groundwork [4] WordPress 4.1.1 PHP 5.5.9

Ubuntu WordPress 4.1.1 — Registrar Network Solutions GoDaddy Fabulous.com Pty Ltd GoDaddy hopefully not GoDaddy Whois Privacy — Domains By Proxy, LLC Whois Privacy Services Pty Ltd Domains By Proxy, LLC — Origin IP ?? 64.39.8.246 [5] ?? ?? — Origin Server ?? Apache/2.2 ?? ?? — Mail server Gmail Gmail Gmail Gmail — IPv6 ✖ ✔ ✔ ✔ ✔ ESP (SPF) SilverPOP Systems Marketo, Sendgrid Mailgun VerveMail — SPF type TXT TXT TXT SPF TXT robots.txt ✔ ✔ ✔ ✖ ✔ robots details Disallow: /api/ Disallow: /wp-admin/ nothing disallowed [6] — Site hillaryclinton.com tedcruz.org randpaul.com marcorubio.com Expected

I’ll update this as more candidates declare or sites change.

Notes

https://www.tedcruz.org works, but https://tedcruz.org gives a 404 error. Sites that require Server Name Indication (SNI), such as this one, are incompatible with a handful of legacy browsers. Fastly’s www.hillaryclinton.com gets a score of 90 on key exchange, while the AWS servers (hillaryclinton.com) get a score of 80. The AWS servers also have an extra cert in the chain (signed with SHA1). Groundwork appears to be a custom JavaScript web framework. It does not seem to be related to either the I Like Robots Groundwork or Groundwork CSS. Likely origin, based on server responses. Redirects to https://www.marcorubio.com/landing/stream/.

Updates