Lawrence, thanks for posting the "Inherently Insecure" article.
The article inspired me to use a TOR browser and get DuckDuckGo to search for information
on what they referred to as a "security hardened website". I was thinking there
might be an ISO specification on security hardening of websites and I could contemplate
parting with 118 Swiss Francs to buy the pdf and download it. i.e. Something Like
One of the web-sites that came up in the search is www.serverhardening.com
However when I try to make a secure HTTPS connection to this website my browser reports
"Your connection is not secure". The advanced information reveals:
uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is not valid for the name www.serverhardening.com
The certificate expired on 21 November 2018, 9:31 PM.
If I take the risk and connect with just http, then their web-site has a section on
"Server Hardening Tips & Tricks:" and the first bullet point in this section
states, "- Use Data Encryption for your Communications".
Looking through their 30 bullet points I didn't see any hardening recommendations on
Feel free to take the risk and check out this one page website at
...30 bullet points is a little short for an ISO
specification, but it is free ;-)