Re: SSL use on non PII pages

[Pierre Cadieux <hobbit () theshire com>]

Nicely said! :)

In addition your use of SSL or other processes for protecting data, 
should be in line with your company data classification policies, data 
protection policies, etc.

As long as you can show the process you went through to determine that 
there was or was not any risk (and then why you chose to deploy or not 
deploy SSL for certain pages) that will make audit happy (but document 
the discussions and decisions).

Best wishes,

->Pierre

krymson () gmail com wrote:
> Nice question!
>
> SSL is protects the confidentiality of data, whether that data is a login or PII or just anything you'd rather not have 
> snooped. Confidential or trade information could be examples. It goes beyond PII stuff.
>
> A side benefit of SSL, and one that SSL vendors are trying to pimp more often these days (whether they're right or wrong), is their method of 
> "identifying" the owner of a certificate. If you purchase a certificate, you have to "prove" you are the owner of that domain. So 
> you can be more assured that the site is owned by the person or group named on the SSL if it is purchased through a legit SSL vendor. This is not 
> ultimate assurance, but a step better than no indications or a self-signed SSL that you don't trust. Does this really add value? I 
> guess...depends what your stakeholders want.
>
> Is this a compelling reason? I personally don't think so. You'd have to look for yourself, but SSL use on a website 
> does increase the overhead processing for the servers. If you have huge use on your sites, adding SSL to more pages could (likely 
> will!) have a big impact on your server resources. If you have a small site with limited usage, you could get away with wrapping 
> it all in SSL.
>
> If the data you're protecting is nothing confidential or PII-related, there's little use in protecting it, imo.
>
>
>
> <- snip ->
> So I had an interesting question that came up at my new job. Why would
> anyone want an SSL certificate for a site that does NOT contain an PII
> or login process on it? Now I am asking this question here because I
> know at one point the AOTA was making recommendations for extended SSL
> cert to websites to help with phishing problems?
>
> Why would you have an SSL cert on such a page. They do cost money...
>
> In this process, Verisign is stating they have data that points to the
> higher usage of websites that have SSL certs on it even without PII on
> them. Is that true? does anyone else know of data that would support
> that claim? disprove it? Can anyone explain to me would there be a
> positive differences in site usages if it had SSL cert with it vs one
> that does not?
>
> -Dennis
>
>
>