You also need to carefully consider the cipher suites that your server will support. All versions of SSL suffer from a number of well-known vulnerabilities and should not be supported under any circumstances for a public-facing HTTPS implementation.
In terms of protocols, you should not support any versions of SSL, and you should ensure that your configuration is not susceptible to downgrade attacks. These choices are important, as the use of an outdated protocol or an insecure cipher suite can compromise the protection HTTPS offers. When implementing HTTPS on your site or within your app, you will have a choice of what protocols and cipher suites your server will support. HTTPS is a combination of HTTP with TLS to provide encrypted communication with, and secure identification of, web servers. Essentially, TLS is the ‘successor’ to SSL and uses more modern cryptographic protocols. TLS and SSL are often used interchangeably to refer to the same concept – the creation of an encrypted communications channel. What’s the difference between HTTPS, TLS and SSL?
These additional benefits are not the focus of this guidance, however, and are dependent on the type of certificate you use and whether you apply HTTPS across your entire site. While the primary purpose of using HTTPS is to encrypt and protect all traffic between a user and a website, it can have other benefits such as verifying the identity of the website, and ensuring that a user can trust the whole website. ‘Hypertext Transport Protocol Secure’ or HTTPS is a method for encrypting the content of a webpage between your servers and the user’s browser and protecting user input on your website and/or mobile applications. The cloud provider, or other third-party, is therefore unable to gain access to the personal data whilst it is stored in the cloud. Therefore the organisation encrypts each file on its system prior to upload. Once the cloud provider receives the data, it would normally exist in a decrypted state. The organisation recognises that TLS will only provide appropriate protection whilst the data is in transit. The organisation uses TLS to encrypt data whilst in transit so that it cannot be intercepted.
It is important to remember that without additional encryption methods in place (such as encrypted data storage) the data will only be encrypted whilst in transit and will be stored on the recipient’s system in the same form as it is stored on the data controller’s system (ie in plaintext).Īn organisation intends to use a cloud-based data storage service as a repository to archive data. However, use of secure communication methods such as Transport Layer Security (TLS) or a Virtual Private Network (VPN) will provide assurance that the content of the communication cannot be understood if intercepted provided the method is implemented correctly. An example would be sending an appropriately encrypted attachment via email.
It is also strongly recommended to use encrypted communication when transmitting any data over a wireless communication network (eg Wi-Fi) or when the data will pass through an untrusted network.ĭata can be transformed into an encrypted format (see individual file encryption) and transferred over a non-secure communication channel yet still remain protected. Why is it important to consider encrypted data transfer?Įncrypting personal data whilst it is being transferred from one device to another (eg across the internet or over wired or wireless connections) provides effective protection against interception of the communication by a third party whilst the data is in transfer. What are the residual risks with encrypted data transfer?.How can we test if our HTTPS implementation is appropriate?.What’s the difference between HTTPS, TLS and SSL?.Why is it important to consider encrypted data transfer?.