In my previous interactions with Anthony Watts it really showed that he doesn’t have the necessary knowledge and experience to comment on IT related subjects. A subject I’m far more knowledgeable about as I’m a software engineer.
This was obvious with his blog post ‘Obama’s “for the children” climate change video announcement – only a few hundred views so far’ where he didn’t know that the view count for a YouTube video isn’t updated in real time. He ignored my criticism about it and the video that had just “a few hundred views so far” is now at 450,000 views. Which means this video has done very well compared to other videos that often don’t exceed 10,000 views.
Or the trust that Watts has in the unreliable traffic statistics of Alexa. How Alexa gathers these statistics makes them extremely unreliable and shouldn’t be used for any serious traffic comparisons between websites. Again my criticism on this subject was ignored and Watts blocked me on Twitter.
This time Watts again commented on an IT subject in his blog post ‘My Obamacare experience‘ (archived here). In it he complains about SSL certificate security issues on websites where you can register for insurance under the Affordable Care Act (and also compare health care insurance). This is his main gripe:
So, I decided to find out myself. I went to http://healthcare.gov and chose my state, California. What follows is a record of what I actually got. I never made it past step 1
To be accurate, the website security certificate will work if the “www” is used as prefix, but not the link above sans www. By following the link from the Tribune article, with no other changes on my part, I ended up with the sans “www” connection, which they didn’t get a proper security certificate for. One wonders how many other “glitches” exist in basic security on these websites.
Even when you go in with the “www” there are problems.
What you need to know is that a SSL certificate encrypts the data that you send to and receive from the server a website runs on. This encryption still works in the situations that Watts encountered (the messages are about trust levels, not about the certificate not working).
The warning he got was that the domain in the certificate doesn’t match the domain in the browser’s address bar. The certificate in use was generated for the domain www.coveredca.com and not for the domain in the link coveredca.com. This mismatch is what modern browsers warn you for. The certificate will work just fine if you tell your browser to accept it.
Certainly sloppy, but it is easily fixed:
- Add the www part to links used on the website.
- Add a rewrite rule to the server that adds the www part if it is missing.
That’s how minor this issue is with the coveredca.com website.
The calheers.ca.gov website that Watts also mentions is a bit more serious. There they seem to be using their development SSL certificate on the live website. That’s extremely sloppy from the company that made these websites and should have been noticed. However the data sent and received is still encrypted despite this mistake. (the cause for this seems to be that the website was down for maintenance)
But all this can only be used towards criticising California for the software vendor they chose (the federal website is working just fine). It certainly cannot be used as a criticism towards the Affordable Care Act itself.