The website was hosted by a private company, did not use SSL, did not have a OBM form number, and was riddled with typos - sure signs that you shouldn't trust it, and enough reason for some to claim (albeit humorously), that it was a phishing site.. After a few phone calls from members of the press, TSA pulled the website.
The TSA Traveler Identity Verification Program website still tells passengers to download and fill out a .pdf form. However,
just like a shady, perpetual going-out-of-business sale retailer, TSA's website has resurfaced again, only this time, with a new name. It isn't linked to yet from the main TSA.gov site, but can be found via links from dhs.gov
The new website is: https://trip.dhs.gov/.
- http is redirected to https. Thus, even if their webmasters make future mistakes, and forget to link to the secure website, their webserver will redirect all non-secure content to their secure server. Good move! Try it. Go to http://trip.dhs.gov and watch as your browser gets redirected to https://trip.dhs.gov/.
- OBM Control Number. Any collection of personal information by the government is required to include a OBM Control Number. This was absent from their previous website, and as reportedly, from the Microsoft Word file previously available for download. You can view their Paperwork Reduction Act Statement (which includes their OBM #1652-0044) here: https://trip.dhs.gov/pra.htm
- No more word documents! They previously had a MS-word file available for download, if you didn't wish to send your information to their outsourced webserver. Predictably, this ms word file included meta-data on who at TSA had edited the file. They have now shifted to a pdf file.
Problem: It is still outsourced.
Both http://www.tsa.gov and http://www.dhs.gov are served by akamai distributed proxies, so it's impossible to figure out where they're actually being hosted.
However, someone from TSA visited my website last month, so I do know that TSA's outbound web proxies are:
pnxuser1.tsa.dhs.gov A 184.108.40.206
pnxuser2.tsa.dhs.gov A 220.127.116.11
pnxuser3.tsa.dhs.gov A 18.104.22.168
pnxuser4.tsa.dhs.gov A 22.214.171.124
pnxuser5.tsa.dhs.gov A 126.96.36.199
(Note, this is why Tor is useful)
Additonally, http://tsa.dhs.gov (which runs a webserver, albeit not one configured for public viewing) resolves to:
tsa.dhs.gov A 188.8.131.52
TSA's new website, http://trip.dhs.gov, resolves to
trip.dhs.gov A 184.108.40.206
Now, it's quite possible that TSA/DHS own a number of chunks of ip address space. All i'm stating here, is that the ip addresses are known to be owned by TSA/DHS are nowhere near the ip used by the trip.dhs.gov website.
I don't know the ip address of the old website rms.desyne.com - since it is no longer listed in DNS records. However, www.desyne.com resolves to 220.127.116.11.
Furthermore, a traceroute of http://trip.dhs.gov, and http://www.desyne.com leads me to believe that they're both hosted in the same data-center. I'd be willing to bet a couple Fin Du Monde beers that even with a change of DNS, that desyne is still running and hosting TSA's Traveler Redress Inquiry Program (TRIP) website.
traceroute to trip.dhs.gov (18.104.22.168), 30 hops max, 38 byte packets
12 so-5-0-0.mpr2.iad1.us.above.net (22.214.171.124) 81.561 ms 118.933 ms 84.338 ms
13 so-3-0-0.mpr1.iad2.us.above.net (126.96.36.199) 82.985 ms 81.489 ms 83.893 ms
14 * * *
traceroute to www.desyne.com (188.8.131.52), 30 hops max, 38 byte packets
12 so-5-0-0.mpr2.iad1.us.above.net (184.108.40.206) 84.352 ms 83.722 ms 84.142 ms
13 so-3-0-0.mpr1.iad2.us.above.net (220.127.116.11) 82.005 ms 82.326 ms 83.552 ms
14 * * *
Ryan additionally states: If cookies are going to be used, the rules require that the site include "clear and conspicuous notice" of the cookies, that there exists a "a compelling need to gather the data on the site," that there are "appropriate and publicly disclosed privacy safeguards" for cookie information, and that the head of the agency personally approves the cookies.
When I browse to both http://www.tsa.gov, and this new unannounced TSA website, I am given a web cookie - "ForeseeLoyalty_MID_8El4YcUdgN".
Admittedly, this is not nearly as big a problem as their un-SSL encrypted webserver. However, I want TSA to have to follow the rules. Especially since they make us follow them, even in cases where they won't actually tell us what the rules are.