Info Only

confidentiality Dec 18, 2017

I thought that I would start this blog post off with this single Tweet. That started off the whole debacle which resulted in NatWest ending up in the news. The problem is that while yes the information is public, all the data returned over plain HTTP can be manipulated.



In the security field there is a basic concept known as the CIA triangle where:

  • Confidentiality – the data being transmitted/processed is not viewable by an attacker.
  • Integrity – the data being transmitted/processed cannot be tampered with by an attacker.
  • Availability – the data being transmitted/processed cannot be made unavailable by an attacker.

HTTPS enables 2 of the 3 principles of the CIA triangle, namely confidentiality and integrity. Firstly the data is encrypted (confidentiality), so while an attacker is able to view the data being transmitted, it is of no use to the attacker. Secondly is integrity, an attacker could attempt to modify the encrypted data but this will be detected by the receiving end of the communication.

But It’s Not Sensitive Information

And this leads me to the purpose of this blog. All to often I come across people who state that simply because the information is public or not sensitive, that is a valid reason not to use HTTPS. Nothing could be further from the truth! Take the above example with NatWest. They having a login link on their page, they have contact numbers, they have security FAQs, and the list goes on. As an attacker who has been able to get Man in The Middle (MiTM), they can alter all of that information with little effort. To illustrate this, I modified the login link:

And this relates to the above principle of integrity. Without using HTTPS, there is no way to confidently say that the integrity of the data being delivered to and from the client and server has not been tampered with. So it’s vital that HTTPS is still used, even if the data is public or not sensitive.


Sean Wright

Lead Application Security SME at Immersive Labs with an origin as a software developer. Primarily focused on web based application security with a special interest in TLS related subjects.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.