Data Security 03-28-2016

Debunking SSL and HTTPS Security Myths

Sara Drury

While SSL Certificates and HTTPS encryption have been proven essential in enterprise security, many businesses still put their confidence into unsecure networks like the Cloud or other large data environments. This is because many fall prey to common misperceptions about encryption and key management that relate to cost, performance, and ease of use, which reverts security tactics like SSL and HTTPS to a mere afterthought.

Therefore, to straighten out these common misperceptions about encryption, websites like WIRED and The Collective PC have helped identify and debunk a few of the biggest and most common data encryption myths.

  MYTH: Encryption is only for organizations that have compliance requirements. TRUTH: If you’ve got data about your products, customers, employees, or market that you believe is sensitive/competitive, then you should always encrypt it, whether there’s legal obligation or not.   MYTH: SSL encrypts data everywhere. TRUTH: SSL only encrypts data in motion, NOT at rest. Companies should always secure their data as it’s written to a disk, regardless of how long it will be stored.   MYTH: Encryption is too complicated and requires too many resources. TRUTH: Data encryption doesn’t have to be difficult, as long as you understand the type of data that requires encryption, where it lives, and who should have access to it.   MYTH: Encrypted data is secure data. TRUTH: Many organizations fail to effectively manage their encryption keys by either storing them on the same server as the encrypted data or allowing a cloud provider to manage them. Good key management, with strong policy enforcement makes all the difference.   MYTH: If your data is encrypted, it can’t be stolen. TRUTH: Companies should expect their data to be compromised at some point, because no security solution will protect data 100% of the time. However, data encryption can make the aftermath of a breach much less destructive since encrypted data cannot be decrypted without the key.   MYTH: Only website login pages require HTTPS. TRUTH: This myth could not be any more false. Pages beyond the login page without HTTPS increase the chances of sessions getting hijacked, especially when connected to public, unencrypted networks.   MYTH: HTTPS slows down websites. TRUTH: HTTPS has no real noticeable effect on website speed. However, you can upgrade your processor to handle the additional work of encrypting data.   MYTH: SSL Certificates are too expensive. TRUTH: If you shop around, SSL Certificates can be found at affordable prices. When considering the long-term implications of data breach without proper protection, purchasing a good SSL Certificate is in fact not expensive at all when compared to the consequences without one.   MYTH: There is no caching on HTTPS sites. TRUTH: Simply put, you can prompt web browsers to cache HTTPS sites by using response headers.  

Securing enterprise data begins with proper HTTPS encryption and SSL protection on the systems where such data is located and the networks used to access it. CSO Online recommends the “security in depth” approach, which uses multiple layers of protections from a variety of threats. Remember that when it comes to security, more is always better than not enough.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS