[thelist] how secure is reasonable

[Bill Moseley]

On Sat, Oct 06, 2007 at 08:13:16AM -0700, Joel D Canfield wrote:
> A secure location on a web server, with PGP/GPG encryption, would make
> me comfortable with my tax forms being out there. I'll assume that if
> someone can hack the web server security *and* break GPG's encryption,
> they were gonna get it no matter what I did.

The problem is how well can you trust the clients machines?

On my LAN everything (except CUPS) is over ssh.  I can connect into my
network from the outside over SSH only, and not to bash Windows (no
pun intended), I won't connect to my network from a Windows machine as
I don't trust that a keyboard logger isn't listening.  Frankly, I
don't normally connect from any other machine than my own laptop, but
I don't always have that option.

My point is a server locked away in the basement is of no use if the
clients that have access are not equally protected.  The physical
security and encryption are the easy parts.  Getting a good security
policy and following it is the hard part.

Considering the weakness of the clients, I'm not sure encryption of
the documents is of much use.  Perhaps an encrypted partition on the
server would be in order just in case the server is stolen, otherwise
SSL, basic auth with frequent password updates, and client
certificates would probably be enough.

Again, a strong and sensible security policy is a must, and get the
clients to agree that they will follow the policy.  But, you have to
assume that's a weak link.

I would consider separating out the client specific data from the tax
data so what ends up on the client machines can still be used for
tax preparation but doesn't include the data needed to link that tax form
with an individual.  So, when a client machine is stolen or hacked the
tax data is of little use.


-- 
Bill Moseley
moseley at hank.org