With regard to Dogma, I feel it's often useful to follow the "Dogma" (ie, advice of the experts) in the area's you dont have a good understanding of, rather than dismissing it as Dogma. On a personal note, I wish more products treated access to Personally Identifiable Information with more security than credit card numbers. At least I can change my credit card, much harder to change my DOB.
"It is perfectly possible to build a site and serve it via HTTP that is more secure than a site served over HTTPS".
Could you elaborate on that statement? Otherwise I feel it does considerable more harm than any good it does to have in the article.
I am a developer with a passion for testing. I've been coding for 14 years and I want to share my experience and learnings with other developers to help them write better software.
Thanks for the comment and feedback, sorry I haven't responded to this sooner, I've been a little busy with work and other things...
To answer your questions, I absolutely agree that it's sensible to follow the advice of experts. I just believe there is a difference between this and following dogma which can be counterproductive.
In terms of of HTTP vs HTTPS: A Jekyll / Static site served over HTTP is likely more secure than a WordPress / Drupal site served over HTTPS. My point was simply that HTTPS does not guarantee security, merely increases it. You shouldn't implement HTTPS and assume you're safe.
I think your statement about Site Security and HTTPS is conflating two very different aspects of security to the point of being harmful to a less-informed reader.
I'd argue that HTTPS in no way increases your site's security (for some definition of security). Any expectation that is does is misinformed. What is does do is well documented by others such as Troy Hunt, so I'll link to that rather than poorly attempting to make the same point. Overall HTTPS is about the security of your visitors, not how hackable your own platform is.
It's certainly not dogma, but just good practice, and with the prevalence of services like CloudFlare and LetsEncrypt, the barrier to entry is pretty much zero now.
Cheers!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hey Rob, a few good points in there.
With regard to Dogma, I feel it's often useful to follow the "Dogma" (ie, advice of the experts) in the area's you dont have a good understanding of, rather than dismissing it as Dogma. On a personal note, I wish more products treated access to Personally Identifiable Information with more security than credit card numbers. At least I can change my credit card, much harder to change my DOB.
"It is perfectly possible to build a site and serve it via HTTP that is more secure than a site served over HTTPS".
Could you elaborate on that statement? Otherwise I feel it does considerable more harm than any good it does to have in the article.
Golden -> Implement a proportionate solution
Hi Thomas,
Thanks for the comment and feedback, sorry I haven't responded to this sooner, I've been a little busy with work and other things...
To answer your questions, I absolutely agree that it's sensible to follow the advice of experts. I just believe there is a difference between this and following dogma which can be counterproductive.
In terms of of HTTP vs HTTPS: A Jekyll / Static site served over HTTP is likely more secure than a WordPress / Drupal site served over HTTPS. My point was simply that HTTPS does not guarantee security, merely increases it. You shouldn't implement HTTPS and assume you're safe.
I hope that answers your questions.
Hi Rob, No worries.
I think your statement about Site Security and HTTPS is conflating two very different aspects of security to the point of being harmful to a less-informed reader.
I'd argue that HTTPS in no way increases your site's security (for some definition of security). Any expectation that is does is misinformed. What is does do is well documented by others such as Troy Hunt, so I'll link to that rather than poorly attempting to make the same point. Overall HTTPS is about the security of your visitors, not how hackable your own platform is.
troyhunt.com/dont-take-security-ad...
troyhunt.com/the-6-step-happy-path...
It's certainly not dogma, but just good practice, and with the prevalence of services like CloudFlare and LetsEncrypt, the barrier to entry is pretty much zero now.
Cheers!