Security Basics mailing list archives
Re: SSL use on non PII pages
From: Pierre Cadieux <hobbit () theshire com>
Date: Tue, 11 Mar 2008 13:44:14 -0700
Nicely said! :)In addition your use of SSL or other processes for protecting data, should be in line with your company data classification policies, data protection policies, etc.
As long as you can show the process you went through to determine that there was or was not any risk (and then why you chose to deploy or not deploy SSL for certain pages) that will make audit happy (but document the discussions and decisions).
Best wishes, ->Pierre krymson () gmail com wrote:
Nice question! SSL is protects the confidentiality of data, whether that data is a login or PII or just anything you'd rather not have snooped. Confidential or trade information could be examples. It goes beyond PII stuff. A side benefit of SSL, and one that SSL vendors are trying to pimp more often these days (whether they're right or wrong), is their method of "identifying" the owner of a certificate. If you purchase a certificate, you have to "prove" you are the owner of that domain. So you can be more assured that the site is owned by the person or group named on the SSL if it is purchased through a legit SSL vendor. This is not ultimate assurance, but a step better than no indications or a self-signed SSL that you don't trust. Does this really add value? I guess...depends what your stakeholders want. Is this a compelling reason? I personally don't think so. You'd have to look for yourself, but SSL use on a website does increase the overhead processing for the servers. If you have huge use on your sites, adding SSL to more pages could (likely will!) have a big impact on your server resources. If you have a small site with limited usage, you could get away with wrapping it all in SSL. If the data you're protecting is nothing confidential or PII-related, there's little use in protecting it, imo. <- snip -> So I had an interesting question that came up at my new job. Why would anyone want an SSL certificate for a site that does NOT contain an PII or login process on it? Now I am asking this question here because I know at one point the AOTA was making recommendations for extended SSL cert to websites to help with phishing problems? Why would you have an SSL cert on such a page. They do cost money... In this process, Verisign is stating they have data that points to the higher usage of websites that have SSL certs on it even without PII on them. Is that true? does anyone else know of data that would support that claim? disprove it? Can anyone explain to me would there be a positive differences in site usages if it had SSL cert with it vs one that does not? -Dennis
Current thread:
- SSL use on non PII pages Dennis Dayman (Mar 10)
- <Possible follow-ups>
- Re: SSL use on non PII pages krymson (Mar 11)
- Re: SSL use on non PII pages Pierre Cadieux (Mar 11)