Enhancing Trust in Higher Education Websites
Universities and colleges are trusted institutions, but visitors to higher education websites are being let down. In a survey of over 200 Canadian university and college websites we found that the majority continue to use insecure HTTP [HyperText Transport Protocol] connections, which expose visitors to the risk of their communications being intercepted or altered. As the US Government's CIO website puts it: "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users ...". All visitors should enjoy the highest levels of access privacy and be able to trust the sites to which they connect. Trust and privacy are particularly important given that visitors access post-secondary education sites from all over the world, including from locations where access to the Internet and what is being accessed is closely monitored.
The solution is to upgrade to HTTPS [HyperText Transport Protocol Secure] connections. And, about 10% of higher education websites have already done so. HTTPS provides encrypted connections to servers and those servers are authenticated, so site visitors can trust the connection. HTTPS allows post-secondary education website visitors to experience the same level of trust and privacy they enjoy with financial institutions, online retailers, Google, FaceBook, Dropbox and other Internet businesses, or readers of this post.
Communication privacy and trust are not technicalities, they are strategic issues. University and college website visitors should be able to visit and know that the pages they browse, the searches they conduct or the personal data they supply to complete forms cannot be intercepted in transit.
What Did We Find?
We examined the connections to the principal websites of just over 200 post-secondary education institutions operating in Canada. We captured the standard interaction of a browser with the server hosting the website and we determined whether visitors were accessing those sites via HTTPS or via, less secure, HTTP connections. As the first graph shows, just under 10% of the sites surveyed had implemented HTTPS. And, to better understand how well HTTPS had been implemented, we used the Qualsys secure server connection test to obtain an implementation rating. The detailed inspection produced mix results for implementation effectiveness, as the second graph illustrates. Our observations about the Qualsys results can be found at the conclusion of this post.
What is HTTPS?
HTTPS is designed to protect communication between a website visitor's computer and the site. It achieves this objective by verifying the website's identity (using a 'certificate') and encrypting most (but not all) of the data sent over the connection. HTTPS is specifically designed to prevent data (for example, credit card details or a PIN identifier) being read or altered while in transit. And, should someone attempt to alter any data in transit, HTTPS makes the changes readily detectable. The three benefits offered by HTTPS account for its adoption by financial institutions, e-commerce organisations and other service providers. A number of organisations, for example, The Electronic Frontier Foundation and Google have been actively promoting HTTPS' widespread implementation to address the issue of user privacy.
HTTPS relies on cryptographically-signed certificates that can be recognised and tested by web browsers to confirm website ownership. To make HTTPS-enabled connections evident a padlock symbol appears in the URL bar of a browser. Moreover, when a site operator takes the extra step to obtain an Extended Validation (EV) certificate, the name and country code of the organisation operating the website will appear adjacent to the padlock. We note that only one of the eighteen HTTPS-enabled websites in our study had chosen to obtain an EV certificate: the certificates cost about $100 per year.
What is Holding Back HTTPS Adoption?
In our view, the main adoption hurdle is that HTTPS is seen as a technical problem rather than as a strategic objective to give website visitors the same level of information privacy and trust as would be given to any of their other institutional interactions. Nevertheless, a small number of higher education institutions have already moved to HTTPS, and the remainder should follow their lead.
Typical implementation objections range from encryption negatively impacting site performance, burdensome certificate management, the work associated with ensuring all website content is available over an encrypted link and the complexity of carrying out a migration to a 'new' website. In practice, both software and hardware handle the 'encryption burden' with no noticeable impact to site visitors. The second point isn't so much a reason not to move to HTTPS, but more a reflection of the often haphazard way content accumulates on sites and the periodic need for housekeeping. However, migration exercises do require careful planning, management and execution to ensure that every page on the 'new' HTTPS site works as well as it did on the 'old' HTTP site.
A fourth factor holding back migration to HTTPS is available expertise. Ensuring that HTTPS server settings are optimal is complex [as we know from configuring this site's server and others] and these skills are not always readily available in-house.
There are two reasons for implementing HTTPS: trust and privacy. Enhancing both of these improves a visitor's experience of using a site and ensures that the site's privacy and associated level of trust are commensurate with an institution's reputation. As of early 2016, the majority of Canadian post-secondary education websites have yet to implement HTTPS. And, if the foregoing were not strong enough reasons for upgrading, Google now gives additional weight to HTTPS-enabled sites. If search-referred traffic is important, it makes sense to capitalise on the HTTPS advantage.
What Should You Do Now?
Institutions that have implemented HTTPS should re-submit their site for a Qualsys inspection. Anyone can do it, by submitting the home page URL (do tick the box marked Do not show the results on the boards). In almost all cases the results will be illuminating: even frustrating. We know precisely how difficult it is to obtain an A+ rating.
This article is cross-posted on our FaceBook and LinkedIn pages, where we welcome comments, questions and discussion. We look forward to your feedback. And, of course, we are happy to provide HTTPS-related assistance.