Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSL use on non PII pages

From: krymson () gmail com
Date: 11 Mar 2008 17:48:10 -0000
Nice question!

SSL is protects the confidentiality of data, whether that data is a login or PII or just anything you'd rather not have 
snooped. Confidential or trade information could be examples. It goes beyond PII stuff.

A side benefit of SSL, and one that SSL vendors are trying to pimp more often these days (whether they're right or 
wrong), is their method of "identifying" the owner of a certificate. If you purchase a certificate, you have to "prove" 
you are the owner of that domain. So you can be more assured that the site is owned by the person or group named on the 
SSL if it is purchased through a legit SSL vendor. This is not ultimate assurance, but a step better than no 
indications or a self-signed SSL that you don't trust. Does this really add value? I guess...depends what your 
stakeholders want.

Is this a compelling reason? I personally don't think so. You'd have to look for yourself, but SSL use on a website 
does increase the overhead processing for the servers. If you have huge use on your sites, adding SSL to more pages 
could (likely will!) have a big impact on your server resources. If you have a small site with limited usage, you could 
get away with wrapping it all in SSL.

If the data you're protecting is nothing confidential or PII-related, there's little use in protecting it, imo.



<- snip ->
So I had an interesting question that came up at my new job. Why would
anyone want an SSL certificate for a site that does NOT contain an PII
or login process on it? Now I am asking this question here because I
know at one point the AOTA was making recommendations for extended SSL
cert to websites to help with phishing problems?

Why would you have an SSL cert on such a page. They do cost money...

In this process, Verisign is stating they have data that points to the
higher usage of websites that have SSL certs on it even without PII on
them. Is that true? does anyone else know of data that would support
that claim? disprove it? Can anyone explain to me would there be a
positive differences in site usages if it had SSL cert with it vs one
that does not?

-Dennis
Previous By Date Next
Previous By Thread Next

Current thread: