When you should care about security

November 7, 2010

Recently I wrote about http to https redirection and mentioned in passing something about caring or not caring about security. I figure I should expand on that a bit.

First off: as I mentioned, caring about encryption is not quite the same thing as caring about security. End to end encryption frustrates many sorts of eavesdroppers and is one of the ways of preventing tampering with your traffic. But as lots of people have learned the hard way over the years, encryption by itself does not create security as such.

When I think you should care about security is when you have something important to protect. What's important? My view is that money is clearly important, significant passwords are important, and email is likely to be important. Other things are not necessarily so important.

(Whether a password is significant or not depends on how much it guards access to. For example, I consider our users' passwords to be important, since knowing such a password gives you access to a user's files and all of our services. Some of our users probably disagree with my view.)

The fundamental reason to think about when you care about security is that security is almost always fundamentally inconvenient. Being secure means being less friendly and more of a hassle, both for you and for your users. Before you blindly pay this price, you need to decide if it's called for at all.

(Also, you need to be honest about it. You may think that your website or service is vitally important and so you should be highly secure, even when this inconveniences your users, but you need to make sure that your users agree with this view; otherwise we get grumpy or even quietly bypass it. Also, there is an important difference between allowing users to be secure and forcing them to be secure.)

Written on 07 November 2010.
« Modern versions of Apache and Redirect
When Linux's rp_filter might make sense »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Nov 7 01:26:02 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.