CKEditor Spellcheck Plugins Security

We have been using CKEditor a long time (since it was FCKEditor…always loved that name, makes me giggle like a little kid when I even say it to myself) and just love the product. There are 2 plugins that come with it for spell checking, SCAYT, and WebSpellChecker. Both SCAYT (Spell Check As You Type) and WellSpellChecker are enabled by default, however, SCAYT is not enabled for autoload by default. When I realized that I could enable the autoload for SCAYT, I did just that…and then one of my team members asked a very pertinent question, one that I should have asked a long time ago. Have we reviewed the security (or lack thereof) used by these plugins / service?

If don’t already realize this, these 2 spellchecking plugins are a service provided by WebSpellChecker.net. Both of these plugins send the text being checked to this service and return the results. I knew this fact, but that’s as far as I had really considered it.

What I had not considered is if this service was secure. The┬ásite that we use CKEditor on is secure – it has to be. We are a healthcare facility and we have to protect PHI (Protected Health Information). Now, users should never be entering PHI into text boxes that use CKEditor – nor should anyone ever be entering any other data that needs to be secure in these fields (like passwords). However, we all know that this will happen. The data itself is stored secured and we remove this information as we find find it.

After I was asked the question, I did some research on WebSpellChecker.net’s site and general searches as well, but I could find nothing that told me if these plugins used a secure connection or not. So, I finally just tested it myself using Fiddler and was shocked to find out these are not secure (SSL / TLS) connections, but plain text HTTP!

fiddler shows definitively no security is used for ckeditor spellcheck plugins

Needless to say, we have disabled these plugins completely. We were just using the free version of this service anyway. WebSpellChecker.net does have a paid service and maybe if we paid for it, they would provide some way to use HTTPS. I was very surprised thought that a service like this that was enabled by default in a very common WYSIWYG editor was not secure. Glad we caught it.