The S in HTTPS does not equal to a secure site

Setting up HTTPS is just one of the multiple things you have to do to secure your site. The S in HTTPS, alone, doesn’t really mean secure, it only means that the data is encrypted in “transit”.

Unfortunately, HTTPS is the most popular security “upsell” sold to web site owners, generally misleading them into thinking that HTTPS alone will secure/protect their sites. What is even worse is that non-technical people do think that the browser padlock relates to a secure site.

I know this is nothing new to security people, but after years working in a company that does website remediation (and incident response), it is clear to me that this is not common knownledge. “I am using HTTPS, how did I get hacked?”


Adding HTTPS to your site will not make it more secure against attacks or compromises, will not “save the web” and will not protect you or your users against most of the breaches we see out there. Yes, it will protect the data in transit and prevent a malicious ISP or network operator from modifying the content of your site, but that’s about it.

Should I use https?

Yes. Is HTTPS enough to secure my site? No. Configuring HTTPS should be considered just one of the steps you need to take when deploying your site live. Do you have the proper access control in place? Do you monitor your logs? Are you keeping your server, site and all plugins updated? Do you have an intrusion detection in place? Did anyone reviewe the code on your site? Are you using only well-tested and maintained CMS’s? Do you store your passwords securely?

All of those are as important as HTTPS.

Posted in   https   thoughts     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.