I think your concern is legitimate. I imagine that organizations wishing to make use of the app or modify it will imbue it with trust by associating themselves with it - ie a League of Women Voters logo somewhere on the page. As the article points out though, there are a lot of regulations in this space so I'm not sure if that is allowed.

As far as SSL goes yes I think at the very least the production.rb file should declare `config.force_ssl = true`.