Tuesday, 17 March 2015

The lesson of the web? There. Is. No. Such. Thing. As. A. Secure. Website.

There is no such thing as a secure website.

You know that.

You've read the papers, listened to the radio, watched TV and browsed the web. You know Sony were hacked. You know JP Morgan Chase were hacked. And Lockheed Martin and the US State Department.

You know that. They know it and so does everyone else – there is no such thing as a secure website.

Knowing that, if someone offers you a web service and promises that it's secure, how do you react?

It doesn't matter who that someone is, it doesn't matter how often they claim to take security seriously, it doesn't matter if they claim to have learnt the lessons about privacy and confidentiality and security, the promise is suspicious.

Does this someone believe that you can't read or understand the news or draw elementary logical conclusions from the unmistakable evidence?

They must do.

They must think they're marketing to cretins.

It's extraordinary that anyone in the 21st century is still offering security on the web. We all know that it's not available. That's the lesson of the web. There is no such thing as a secure website. If you don't get that, you don't understand the web.

Anyone who takes your intelligence seriously will acknowledge that when they market to you. They will say that they take all due care and they expect you to take all due care but that security breaches are inevitable and that there is a well-oiled compensation scheme in place for when they happen.

Anyone else now, today, in the 21st century, looks like nothing more than an old-fashioned mountebank.

October 2010Unicorns
15.5.13"When it comes to cyber security QinetiQ couldn’t grab their ass with both hands"
22.10.13Hyperinflation hits the unicorn market
16.2.14Some people must think that the British public is a cretin
30.3.14The Scottish on-line security experiment
7.8.14Cloud computing goes up in smoke
24.2.15RIP IDA – "we're building trust by being open"
12.3.15Current and future uses of biometric data and technologies


Anonymous said...

Just a small point; all of the breaches you mentioned had nothing to do with websites; ref:

Sony pictures: network compromise (nothing to do with a website): https://www.riskbasedsecurity.com/2014/12/a-breakdown-and-analysis-of-the-december-2014-sony-hack/

JPMorgan Chase: account compromise (nothing to do with a website): http://arstechnica.com/security/2014/12/jpmorgan-chase-hack-because-of-missing-2-factor-auth-on-one-server/

Lockheed Martin: RSA token attack for VPN (nothing to do with a website): http://www.darkreading.com/risk-management/lockheed-martin-suffers-massive-cyberattack/d/d-id/1098013?

US State Department: Unclassified email system hacked (nothing to do with a website): http://www.reuters.com/article/2014/11/17/us-cybersecurity-statedept-idUSKCN0J11BR20141117

Security can never be absolute, in the same way that no alarm system can guarantee not to prevent all burglaries (and very few alarm systems offer compensation if you do get burgled). However you *can* design secure web services, making use of best practice, raising the level of effort needed to compromise them, and having systems in place to recover quickly if needed.

David Moss said...

Anonymous@12:44 on 18 March 2015, thank you for your comment, well-made and well-taken.

Your alarm system may not pay you compensation but your insurance policy will.

The level of effort needed to breach security seems to be achieved very frequently.

What recovery is possible when you have lost an unreleased film or the design for a jet fighter?

"You *can* design secure web services", you say – begging the question?

Post a comment