Extending the Benefits of HTTPS: Security, Trust and Identity

image of woman working on computer security

The Story So Far …

Currently, when you connect to most university or college websites your browser (in this case Chrome) maintains studied neutrality about the connection security (HTTP), for example:

The October 2017 release of Chrome 62 will slightly up the ante, with security warning messages on entering data on sites with HTTP connections:

Google’s original security post is here: https://security.googleblog.com/2017/04/next-steps-toward-more-connection.html

In our last article, we established that about one third of university and college main websites have implemented HTTPS. On connecting to these websites your browser (again, Chrome) confirms a secure connection (HTTPS) exists, for example:

From limited testing, it looks as if the dozens or hundreds of individual web properties (collectively, the ‘web estate’) at larger universities and colleges have implemented HTTPS (secure) connections to about the same degree as the wider universe (roughly, 33%).

Turning HTTPS to Your Advantage

As we’ve previously noted, secure connections to higher education websites are about ensuring that digital interactions enjoy identical levels of security and trust as all other personal interactions. This is not just a matter of implementing technology.

To the end of ensuring security and trust, there’s a further step that higher education institutions can choose to take. One already taken by other ‘trusted’ entities. That is to implement extended validation (EV).

When you connect to sites using extended validation certificates your browser (Chrome) confirms the connection security and site identity, for example:

Looks good, doesn’t it? Clearly stating the official name of the institution hosting the site and the location. It’s the same approach taken by financial institutions, for example:

Extended Validation Certificates

The purpose of EV certificates is to confirm to website visitors that the entity operating a site is who it claims to be and the certificate issuer has verified the identity. Specifically, in issuing EV certificates issuers check:

  • the identity of the website owner, through business incorporation or other public records;
  • confirms that the applying entity actually owns or controls the domain; and,
  • verifies the identity/authority of the individuals applying for the EV certificate.

The degree of scrutiny required to obtain an EV certificate should assure higher education website visitors that they can trust the site. Moreover, there’s even a little bit of extra institutional brand reinforcement thrown in.

EV certificates come at a price, around USD200 annually, along with a time commitment to gather the data needed to complete the certificate vendor’s application process.

Who’s Using EV Certificates?

We previously identified 1,443 institutions out of 4,310 that had implemented secure HTTPS connections.

On closer inspection, we found 45 of the 1,443 institutions (1 in 30) have chosen to implement an EV certificate. DigiCert and COMODO are the two principal suppliers of extended validation certificates to those institutions that have implemented EV.

We speculate that with greater awareness of the need to move to HTTPS, a second wave of university and college implementations will see upgrades to extended verification.

And, for those institutions yet to move on HTTPS implementations here are the main suppliers of SSL certificates (the underlying HTTPS technology):

Certificate Supplier Market Share in Higher Education
Go Daddy 17.3%
COMODO 16.3%
DigiCert 13.6%
Let's Encrypt 11.0%
InCommon 9.1%
Others 5.7%
RapidSSL 5.4%
thawte 5.4%
QuoVadis 4.7%
GeoTrust 4.1%
GlobalSign 3.6%
Entrust 2.0%
Symantec 1.6%
100.0%

Table 1: List of SSL certificate suppliers identified from 1,443 university and college websites using HTTPS

Go Daddy emerges as the largest supplier because Go Daddy is one of the main website hosting providers to the higher education sector in the United States. We note that, with the exception of Let's Encrypt and InCommon, connections to all the other certificate supplier sites are enabled with extended verification certificates.

And, if you’ve made it this far, about 10% of the HTTPS installations we tested failed SSL Labs’ server test. We’ve used our best endeavours to get in touch with those institutions so they can take the appropriate action. We recommend submitting your main website URL to SSL Labs' test.

 

Sign Up for Email Delivery:

We collect the following solely to email you new research.

* indicates required

MailChimp stores your details. We do not share data with third parties.

Blog photo image: unsplash.com