Dec 18, 2017 2 min read

Info Only

Discuss the importance of using HTTPS for integrity, and not only for confidentiality.

Info Only

I thought that I would start this blog post off with this single Tweet. That started off the whole debacle which resulted in NatWest ending up in the news. The problem is that while yes the information is public, all the data returned over plain HTTP can be manipulated.



In the security field there is a basic concept known as the CIA triangle where:

  • Confidentiality – the data being transmitted/processed is not viewable by an attacker.
  • Integrity – the data being transmitted/processed cannot be tampered with by an attacker.
  • Availability – the data being transmitted/processed cannot be made unavailable by an attacker.

HTTPS enables 2 of the 3 principles of the CIA triangle, namely confidentiality and integrity. Firstly the data is encrypted (confidentiality), so while an attacker is able to view the data being transmitted, it is of no use to the attacker. Secondly is integrity, an attacker could attempt to modify the encrypted data but this will be detected by the receiving end of the communication.

But It’s Not Sensitive Information

And this leads me to the purpose of this blog. All to often I come across people who state that simply because the information is public or not sensitive, that is a valid reason not to use HTTPS. Nothing could be further from the truth! Take the above example with NatWest. They having a login link on their page, they have contact numbers, they have security FAQs, and the list goes on. As an attacker who has been able to get Man in The Middle (MiTM), they can alter all of that information with little effort. To illustrate this, I modified the login link:

And this relates to the above principle of integrity. Without using HTTPS, there is no way to confidently say that the integrity of the data being delivered to and from the client and server has not been tampered with. So it’s vital that HTTPS is still used, even if the data is public or not sensitive.

Sean Wright
Sean Wright
Experienced application security engineer with an origin as a software developer. Primarily focused on web-based application security with a special interest in TLS and supply chain related subjects.
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Sean Wright.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.