2010-11-07
When you should care about security
Recently I wrote about http to https redirection and mentioned in passing something about caring or not caring about security. I figure I should expand on that a bit.
First off: as I mentioned, caring about encryption is not quite the same thing as caring about security. End to end encryption frustrates many sorts of eavesdroppers and is one of the ways of preventing tampering with your traffic. But as lots of people have learned the hard way over the years, encryption by itself does not create security as such.
When I think you should care about security is when you have something important to protect. What's important? My view is that money is clearly important, significant passwords are important, and email is likely to be important. Other things are not necessarily so important.
(Whether a password is significant or not depends on how much it guards access to. For example, I consider our users' passwords to be important, since knowing such a password gives you access to a user's files and all of our services. Some of our users probably disagree with my view.)
The fundamental reason to think about when you care about security is that security is almost always fundamentally inconvenient. Being secure means being less friendly and more of a hassle, both for you and for your users. Before you blindly pay this price, you need to decide if it's called for at all.
(Also, you need to be honest about it. You may think that your website or service is vitally important and so you should be highly secure, even when this inconveniences your users, but you need to make sure that your users agree with this view; otherwise we get grumpy or even quietly bypass it. Also, there is an important difference between allowing users to be secure and forcing them to be secure.)