Someone once said – and I got this quote from the computer game Sid Meier’s Alpha Centauri, so I’m not sure if they got it from elsewhere – “The pinnacle of military deployment approaches the formless, for if it is formless, then even the deepest spy cannot discern it nor the wise make plans against it.”. I would modify that wisdom to apply to information security: The pinnacle of secure information is the nonexistent, for if it is nonexistent, then even the deepest spy cannot leak it nor the most talented cracker steal it.
I mentioned in a previous post that I was setting up a new web site, dragonsmoke. I set it up because I want to run my own web server at home. Like much of what I create, the final product (the content being served) is less important than the process of creating it (setting up a secure server).
I have been using various automated testing tools to harden my server’s security. The first one I discovered, and the one that has been most helpful so far, is Qualys SSL Labs’ SSL Server Test. I have taken a repetetive-testing approach to web site security: first I got the site running with a Let’s Encrypt HTTPS certificate, then I ran the test, then I fixed whatever it told me to fix, then I ran the test again, and so on. Now I have an A+ rating on that test. A+ is great, but I want perfect.
Out of curiosity, I also ran the SSL Server Test against my bank’s web site: its overall score was identical to mine, A+ but could be better. I did notice one small area where my site did better: On the advice of security expert Steve Gibson, I use OCSP Must Staple. I can see no reason not to; it’s so easy to set up.
I think my score will improve slightly when dragonsmoke gets added to the HSTS preload list. I’ve submitted it for inclusion, now I just have to wait.
The second automated test I discovered was Observatory by Mozilla. It recommended some HTTP headers that I’d never heard of before, which I could configure my web server to send. So that’s a plus. Now dragonsmoke has an A+ rating here too, but again not a perfect score.
I’ve put all this effort into encrypting connections to my web site, making it really hard for any MITM to see or modify any of the data sent between client and server. The most important step in creating information security is not the encryption, though: it is the data itself. The less data there is, the less likely it is for important data to leak. I know that a bank may need to send and receive lots of potentially interesting data: credit card details, names, passwords, PINs, phone numbers, you name it. Dragonsmoke does not need that info, so it provides no means for users to enter that info. No data is collected at all. That is how I know that my site is more secure against data theft than my bank’s site.
I still want perfect scores though. Just because my site is small and niche does not mean I will settle for less.