Post by Scott DorseySecurity is a bunch of things. If you have data that you're putting
onto a web server, confidentiality is likely not a big deal. If it IS
a big deal, perhaps the flat open web server is not the right tool for
the job.
If you have a flat, passive web server just serving out files, your
main worry is data integrity, and to prevent other people from somehow
hijacking the incoming connection to the web server.
Ayup. That certainly depends highly on the information being served.
This determination can sometimes be quite subtle, too. Even
commonly-available data can sometimes be exceedingly sensitive to the
folks browsing the site, for instance. If somebody start looking up
specific medical conditions, for instance? Maybe that comes back to
haunt the browser? Same for surfing available data that might be
trouble in the particular geography for the browser. It's not just
the data, it's also the metadata. Then there's the fun of the HTTP
ad injection and the connection monitoring and tracking that's
increasingly arising. Or the case when somebody later modifies the
site and adds PUT or UPDATE into the interface vernacular, or sensitive
data into the parameters or such, and doesn't think through the
consequences.
Outside of something akin to an IoT device with no provision to
generate and load a unique certificate — and with full knowledge of
what a mess those IoT devices can increasingly cause — I see very
little reason not to encrypt all web connections. Rule of thumb:
encrypt it, and preferably with PFS. With OpenVMS servers involved,
there's usually little reason not to encrypt the data. There are also
encryption assists available in x86-64 processor hardware from Intel
and AMD, too. https://en.wikipedia.org/wiki/AES_instruction_set et al.
--
Pure Personal Opinion | HoffmanLabs LLC