We sometimes read "My blog is super secure since it uses TLS 1.2+/AEAD/PFS/CSP/OCSP/CAA…". At the same time, such blogs use CMS like WordPress (with a large attack surface), and need database servers, PHP etc.

However, these features don't protect databases – the valuable thing for bad guys. They don't keep software up-to-date, or configure software properly. They only protect data in transit – if supported by clients.

So it is all about self-promotion, not about actual security.

Sign in to participate in the conversation
Mastodon is a microblogging site that federates with most instances on the Fediverse.