clock menu more-arrow no yes

Filed under:

Federal AIDS website insecurely transmitted user locations for years

New, 6 comments

Everyone loves to hate Healthcare.gov, but there are plenty of other bad websites out there. Take, for example, AIDS.gov. The Washington Post reports that the site has failed to adhere to basic web security protocols for the past few years. As a result, anyone snooping on internet traffic could easily find the location and identity of someone searching for HIV testing facilities or other services.

The culprit is encryption — or rather, the lack thereof. Like the vast majority of websites, AIDS.gov and another similar government site offering HIV assistance, has not used SSL encryption to maintain its users' privacy. SSL, also known as Secure Sockets Layer, is often used on banking websites to scramble data sent between people and websites. It's typically denoted by a green padlock in the address-bar.

A disappointingly low security standard for a sensitive matter

Without SSL, third parties could have easily snooped on the web activity of those using the Department of Health and Human Services-run site. That data includes the precise longitude and latitude of those using the app or website to find nearby clinics or aid centers. Those who used such services on the website while on public WI-Fi hotspots would be at particular risk.

Considering the history of HIV and AIDS, it comes to the surprise of many that the HHS made little effort to keep the privacy of its users secure. But it serves as a worthwhile reminder that not nearly enough sites use SSL or other encryption technologies. According to The Washington Post, AIDS.gov is thankfully no longer on that list — encryption is now mandatory.