Update: November 29th, 2011. I have just noticed that Troy Hunt has posted an excellent article on SSL/TLS
I started a poll on LinkedIn. The question:
- "Should web applications which process Personally Identifiable Information (PII) be legally required to use SSL/TLS? "
with a simple Yes or No answer. There is a link to the LinkedIn poll at the bottom of this blog. However, I suggest you read through the following thoughts before answering.
The question could have been:
- "Should web applications which process Personally Identifiable Information (PII) use SSL/TLS? "
But that would have been easy. Most people would probably vote yes because SSL is A GOOD THING. The addition of the "be legally required to" clause makes it more interesting.
- "We take your individual privacy very seriously. We aim to ensure that this website meets and exceeds all relevant legal and regulatory requirements, including the Data Protection Act."
Great - until you see that they don't use SSL to protect account information. This includes name, address, phone number etc. In fact, you could argue that this website processes sensitive personal data under the Information Commission's Office (ICO)
definition. According to the ICO, sensitive personal date " needs to be treated with greater care than other personal data". But no SSL on said website.
Is SSL Already an EU Legal Requirement?
Does the Data Protection Act require SSL? The UK version of the Act is a bit vague. Principle 7
states you "should have security that is appropriate to:
- the nature of the information in question; and
- the harm that might result from its improper use, or from its accidental loss or destruction."
Then the question becomes: "is SSL appropriate"? The website operator can argue that they considered using SSL, but concluded that it wasn't appropriate. The Irish Data Protection commissioner goes a bit further in their security guidance
, stating that encryption:
- "is considered an essential security measure where personal data is stored on a portable device or transmitted over a public network."
So no clear answer.
Why Don't Website Operators Use SSL?
Maybe it's because:
- they genuinely don't even think about it. Although the little "https" lock on the browser is a fairly well known security measure. This is an InfoSec problem where awareness needs to be raised.
- it is easy to say something like "We take your individual privacy very seriously" but then do nothing about it.That's lip service..
- "Facebook don't use it - so why should we?" FB seems to be changing
- it's too difficult to configure. It probably takes a while, but it isn't that difficult
- it's because it's too expensive. Google "SSL Certificate" and you can get a GoDaddy cert for €9.99
- it kills performance. According to Google,"SSL/TLS is not computationally expensive any more."
- SSL is broken and has been more or less every year since 1995.
- users will keep getting security warnings as content switches between secure and non-secure
- apart from firesheep like utilities, where is the evidence that the lack of SSL has really been exploited all that much?
Reasons To Use SSL
- does raise the infamous "security bar"
- is not too difficult to implement
- comes in at number 9 in the OWASP Top 10
- is required by PCI DSS
- gives you a nice warm feeling inside
But back to the original question. "Should SSL be legally required when processing PII?" The problem with this approach is that a requirement like this is very difficult to enforce. I think it would be much better trying to persuade developers and website operators to implement SSL rather than trying to use the crude hammer of legislation. So I think I will vote NO.
Here is the link to the Poll itself if you want to cast your vote: