Browsing TSA's website this evening, I came across a link to the new TSA Traveler Identity Verification Program.
"The TSA Traveler Identity Verification Program is designed to assist those airline passengers who have been delayed or prevented from traveling as a result of TSA's security measures."
The site is specifically aimed at passengers who have suffered from any of the following problems:
* Unable to print Boarding Pass at Kiosk/Home
* Directed to Ticket Counter every time I fly.
* Ticket Agent states that I am on a Federal Government Watch List
* Missed flight while attempting to obtain boarding pass
You can submit a handy-dandy form online to register your request/complaint.
Two things immediately jump out at me.
1. You are required to enter sensitive information from three of the following forms of identification:
A non-U.S. Passport, Voter Registration Card, Immigrant Visa, Driver's License, Birth Certificate, Government Identification Card, Naturalization Card, Military Identification Card, Certificate of Citizenship, DD Form 214.
These are very sensitive bits of info. A drivers licence number in particular, is often used by banks (due to Patriot Act provisions) to authenticate you when you open an account.
Worst of all - the form you submit doesn't go over an SSL connection! It goes plaintext over the wire. Heaven forbid you do this from an airport starbucks after being denied boarding, as anyone could sniff your info.
The relevant bit of code in question: form method=POST action=/pivf.htm
Now, they do at least have a ssl webserver running at https://rms.desyne.com/. But they're using a self-signed cert.
Update: I want to make it clear. I've only tested this by pressing submit on an empty form, and by viewing the source code to the form. To tell for sure, I'd have to submit a request to TSA - with bogus data.. and my now finely tuned "will TSA investigate me for this" radar tells me that submitting false information to an official government request form is a bad bad idea.
I searched the source for the words "https" - nothing.
I also found the 'form method' section, where it describes how the form is submitted.
2. Unlike the rest of the TSA website, this is served from a different domain: http://rms.desyne.com/
Which means that a private company is running this site...
The whois database shows as follows:
Administrative Contact, Technical Contact:
Desyne, Inc. dns@DESYNE.COM
Desyne Web Services, Inc.
PO Box 143
Boston, VA 22713
(703) 391-2400 fax: (703) 391-2550
Record expires on 21-Mar-2015.
Record created on 20-Mar-1996.
Database last updated on 13-Feb-2007 21:32:10 EST.
This begs the question: Who are these guys, why don't they know how to use SSL and how were they awarded this sweet contract?
Why can't TSA do a simple form submission themselves?