HTTPS alone doesn’t secure wordpress blog server or web site

February 1, 2007 late at night · Filed under HTTPS, PKI, SSL, information security, wordpress

HTTPS alone doesn’t secure wordpress blog server or other web sites. HTTPS or SSL has been hyped enough by those leading SSL certificate providers, that many believe that a SSL certificate or HTTPS somehow secures a wordpress blog server or a regular web site. Well, the truth is, it doesn’t.

Over the years, I’ve heard “Verisign secures my site” from both technical and non-technical people. I shook my head and moved on. Last week, I tumbled into a new Wordpress blog. It states that “As you can see, I’m using SSL. This is the only way I know to reasonably secure WordPress. Since there’s no e-commerce involved, don’t worry that this is not an officially issued SSL certificate.” Since the site is open to anyone, HTTPS is not more secure than HTTP, for the most part.

HTTPS and SSL, like other PKI-based protocols, do have capability to secure your web site in terms of access control and transport confidentiality.

  • Access Control You can use SSL certificate to authenticate either the server or the client or both.
    • Most common use is to authenticate the server. This is done by Verisign or Thawte or other Certificate Authority to provide a digital signature to vouch for the authenticity of a web site. The digital signature is then validated using the CA’s own certificate bundled with modern HTTPS-capable browsers. This could aid to reduce a company’s liability who owns and/or operates the server.
    • Much less common is to authenticate the client to the server. The server sets in its security policy to require a client’s certificate bear certain characteristics, such as CN, etc, before a session is allowed to be established for further communication.
  • Transport confidentiality Since the communication between the server and the client is encrypted, thus the transport is secure and confidential.
    • The encryption could help protect privacy and keep restricted access account information confidential.
    • The information is in clear text at both ends of the communication: the server and the client. Therefore, HTTPS doesn’t secure your site as a whole. It secures the transport and nothing else, period.

As we can see from the discussion above, if a site has no access control in place (basic HTTP authentication, application-layer access control, or PKI authentication), HTTPS alone doesn’t provide any more protection other than false sense of security. As for how to secure wordpress blog server and/or other LAMPs for real, please refer to my article on the topic.

Leave a Comment

Powered by WP Hashcash