It's a New Year and Google is Rolling Out Some Important Changes
Soon-to-be released updates to Google’s Chrome browser will warn users if their website connection is not secure. Our research shows that the majority of college and university websites in the US, UK and Canada do not offer secure connections. They use insecure HTTP (Hypertext Transport Protocol) connections rather than secure HTTPS (HTTP Secure) connections. This isn’t a technical distinction or issue, it is one of basic trust and privacy between a website and its users, as we will explain in more detail.
The Chrome roll out will start by warning about passwords and credit card number collection over non-secure connections, and will culminate with users being clearly warned about any website that does not use the HTTPS protocol.
Even if Google were not making this change it is time to move web servers to HTTPS. Universities and colleges are trusted institutions and visitors to their websites should be confident that the pages they browse, the searches they conduct or the personal data they supply to complete forms cannot be intercepted in transit: implementing HTTPS provides that reassurance.
InSecure versus Secure Links (HTTP vs. HTTPS)
Most connections between end user devices and websites still use the HTTP protocol. While HTTP facilitates reliable connections, all communication over HTTP links can be readily intercepted and read by third parties: malicious intruders, ISPs and others.
HTTPS ensures that users connect over an authenticated, encrypted link that prevents anyone examining or modifying the data being sent.
Current practice is for browsers to highlight secure connections by showing a small padlock and the word Secure in the URL bar: HTTPS connections. Here's an example with the Chrome browser:
Banks, ecommerce, social media and other organisations use HTTPS links to ensure that users of their sites can trust the connection and to preserve privacy.
Moving to HTTPS: It Will Even Boost SEO
To make internet searching and browsing secure and private, Google has been actively promoting HTTPS use and even ranks search results from HTTPS sites ahead of those from insecure HTTP sites.
With Chrome about to reverse the policy of highlighting secure connections rather than warning of insecure ones, users will receive progressively stronger and more worrying warnings as they browse HTTP-only websites.
This policy change matters to higher education institutions as our research shows most websites rely on insecure connections: with the exception of pages that facilitate payments or similar transactions.
Starting in January 2017 release 56 of Chrome will warn users if an insecure site asks for a password or credit card number. The Chrome development team has announced that subsequent releases will culminate in non-HTTPS sites being designated as insecure and site visitors being issued with a warning in the URL bar (we anticipate Firefox and Safari implementing a similar feature):
Migrating to HTTPS ensures that college and university websites will engender the appropriate level of trust in visitors.
Communication privacy and trust are strategic, not technical, issues. University and college website visitors should be able to trust that the pages they browse, the searches they conduct and the documents they view cannot be intercepted in transit and viewed by others.
Current State of Play
To understand the potential scale of the transition we examined the home pages of universities and colleges in Canada, the UK and US – a total of about 4,280 different websites.
Overall just over 14% of sites have implemented HTTPS, leaving 86% to catch up. However, there is some variation by geographical region, with the UK taking the lead.
Google provides supporting material to explain the importance of enhancing privacy and security through implementing HTTPS that expands on this blog post.
Start by reading the Google security blog post announcing the proposed changes to browser behaviour. The post also offers links to further technical and non-technical resources.
Finally, we recommend reviewing the material at Let’s Encrypt (a free service provided by the Internet Security Research Group) to see how HTTPS can be implemented at low to no cost for ‘straightforward’ websites.
Once you understand why you should migrate the HTTPS, you'll need to plan how to do it. Matt Banner at onblastblog.com has published an infographic that structures a migration and highlights the key elements - it's worth reviewing before developing your own project plan.