Donating to Ted Cruz’s Presidential Campaign Is a Digital Minefield

The road to the senator's donation box is paved with dummy sites and shady security standards

Ted Cruz just turned the lens on himself by announcing a presidential run. But if you were thinking of donating to his website, be careful. (Photo: Getty)

Ted Cruz just turned the lens on himself by announcing a presidential run. But if you were thinking of donating to his website, be careful. (Photo: Getty)

Texas Senator Ted Cruz took a page out of Beyoncé’s book last night when he unexpectedly announced his run for the 2016 presidential election on Twitter, in the middle of the night on a Sunday, when no one in their right mind should be checking Twitter:

You’d think that, being the first major candidate to announce a bid for the 2016 Presidential election, the team would have been prepared to take the money of excited Republicans ready to reclaim the White House. Unfortunately, trying to throw your money at Ted Cruz is fraught with cybersecurity perils at best, and a total shit-show at worst. Let’s take the journey…

First, you have to get the URL right. Trying TedCruzForAmerica.com redirects to Healthcare.gov, the official page for Obamacare. If you try TedCruz.com, you reach this message:

Ok, maybe not... (Screengrab: Jack Smith IV)

O.K., maybe not… (Screengrab: tedcruz.com)

This is just a case of domain squatters trying to mess with your head by buying up his name to troll supporters. So maybe you take the direct route and just Google the damn page. Google “donate to Ted Cruz” or some other variation of those words, and the first result is for https://www.tedcruz.org/contribute/ which gives you this message:

Why yes, it is kind of embarassing. (Screengrab: TedCruz.org)

Why yes, it is kind of embarrassing. (Screengrab: TedCruz.org)

But at least you’ll find the correct site: TedCruz.org. Unfortunately, donating money—even at the correct address—isn’t as safe as it should be.

Type in http://www.tedcruz.org, you’ll reach the correct site, but it will have no SSL certificate. In plain English: the Ted Cruz presidential campaign built a website that isn’t always protected by basic encryption—there are ways for malicious actors to redirect and spoof the site so that you end up putting your money in the wrong piggy bank.

To get around this, you can go in and manually re-type the entire address as https://www.tedcruz.org and activate the site’s certificate. But when a Vox reporter manually typed in the “https” prefix to the URL, they checked the certificate and noticed that “nigerian-prince.com” is listed as an alternative domain for Ted Cruz’s campaign donations.

The issue with the “nigerian-prince.com” certification seems to be resolved, though the site is still only partially encrypted—if you check the SSL certificate information, it will warn you that, in fact, “this page includes other resources which are not secure,” and that, “these researches can be viewed by others while in transit, and can be modified by an attacked to change the look of the page.”

As someone as outspoken about open-Internet issues as Mr. Cruz, we’d expect a little more sophistication. Perhaps he should take a cue from his more forward-thinking colleagues in Congress and take Bitcoin for campaign donations. In the meantime, if you’re a donor, we recommend hanging tight until these problems are resolved.

Or just send a check.