-2

Is using the "HTTPS" protocol is enough for website data security, or should I use another encryption algorithm (Elgamal, RSA or something else) as well?

Does the BREACH attack described here affect this decision?

Xander
  • 35,616
  • 27
  • 114
  • 141
ENGY
  • 1

1 Answers1

2

HTTPS is HTTP-within-SSL (SSL is now known as TLS). The SSL layer provides security for data in transit in the following sense:

  • Eavesdroppers on the line cannot make (much) sense out of what they observe (confidentiality).
  • The client has some strong guarantee that it talks to the server it believes it is talking to, not an impersonator (authenticity).
  • Any alteration of data while it travels from client to server or back will be reliably detected by the recipient (integrity).

HTTPS does not do anything beyond the security of the data transfers. If your Web site does dumb things with the received data, e.g. allowing an SQL injection attack to happen, then HTTPS will in no way prevent it. Additional cryptographic algorithms would not help either. Cryptography, as a rule, provides some features which are very convenient for building up security, but they don't suffice. Piling up algorithms won't make your site "arbitrarily secure" in the same way that adding extra engines will make your car faster, especially if it does not have wheels. A car with no wheel will not go far, even if it has the biggest engine ever, and even if you then add an extra engine. Similarly, HTTPS will not grant automatic protection against everything, and it is not a matter of "not enough algorithms applied".

Also, careless application of multiple cryptographic algorithms has been known to degrade performance (very often) and also to degrade security (less often, but often enough to be a concern). In the car analogy, an extra engine can make your car slower if you plug it backwards, making it oppose the movement from the main engine.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480