By: T.J. Lamanna
Cross-posted from the OIF Blog
With the recent release of tools like Certbot and HTTPSEverywhere and organizations like Let’s Encrypt, it’s becoming easier and easier for non-enterprise web administrators to add SSL certificates to their websites, thus ensuring a more secure connection between the user and server. The question which needs to be answered is, why, with so many tools available are libraries lagging behind in implementing HTTPS on library web servers?
As Tim Willis, HTTPS Evangelist at Google, said in his interview with Wired Magazine: “It’s easy for sites to convince themselves that HTTPS is not worth the hassle. But if you stick with HTTP, you may find that the set of features available to your website will decline over time.” This might have been true 10 years ago, when implementing the certificate required a unique set of skills that most librarians didn’t have, and most public libraries couldn’t afford to outsource. This is no longer the case, yet the mindset hasn’t changed.
The library field is rife with the mindset of “we’ve always done it this way,” which is why we typically lag behind and become late adopters, rather than pioneers we like to pride ourselves as being. It would also require libraries to spend more time and energy on making sure their websites were current and safe — a challenge for understaffed and underfunded libraries. However, the benefits and good this will offer to the community should outweigh any additional labor involved, especially since there are people and organizations that are willing to do the work for the library, such as Let’s Encrypt, the Library Freedom Project or their state library, for either a nominal or no fee.
As of July 27, 2017, only 1,445 out of a total of 16,248 public libraries have HTTPS enabled on their websites, that’s just 8.89% (this excludes the 971 libraries we weren’t able to find valid websites for) [Fig 1]. As the graphs below show, as of July 2017 almost 60% of all web pages loaded over Firefox were able to use HTTPS [Fig 2]. As well as 229,845 of the top 1 million sites (almost 23%) enable HTTPS by default [Fig 3], and as of July 2, 2017, the site SSL Pulse, which surveys the top 140,000 websites, found that 59.1% were actively secured [Fig 4].
One of the most common complaints against HTTPS implementation in libraries has been: “we don’t serve any sensitive information,” but that’s not the only reason to implement HTTPS on your library’s domain. Beyond the security measures HTTPS offers libraries and their patrons, there are other practical reasons for implementing the certificate.
Standard load time for web pages is actually faster with HTTPS, more than 360 unique test loads HTTPS averaged 3.75 seconds while HTTP averaged 5.251 seconds, or 40% slower. HTTPS also increases SEO rankings, so libraries that are struggling to move up the ranks may find the implementation helpful. There is also the issue of updated browsers, as HTTPS becomes more common, web browsers are going to anticipate your domain having an SSL certificate, and will start throwing nasty messages and warnings if your site is unsecure. This becomes especially problematic for library patrons, as few are familiar enough with the topic to understand why their library’s website is giving them error messages. There are countless other reasons to enable HTTPS on your site, and for more information I’d recommend Scott Helme’s “Still think you don’t need HTTPS” report.
We’ve focused exclusively on libraries and the domains they hold, but a correlate to this discussion is advocating and demanding vendors also implement HTTPS for their services, especially those where patron information is relayed. Librarians and their advocates must push to have every ILS enable HTTPS as well as any other service that may potentially leak patron information. This is a paradigm shift in the current relationship between libraries and their vendors that needs to be resolved.
Our patrons expect a secure platform from their library, and libraries as privacy advocates have an obligation to provide their patrons with the tools they need to use library resources safely. So, what can you do to enable HTTPS on your libraries domain? Bring up the topic to your director, board or trustees and explain the need and method of implementation. Make sure you can explain why it’s important as well as how you’d pursue getting the certificate implemented.
T.J. Lamanna is the chair of the New Jersey Library Association Intellectual Freedom Committee and the emerging technologies librarian at the Cherry Hill Public Library. His time is spent discussing both practical and theoretical ways of protecting librarians and their patrons in a world of social engineering, hacking and malicious states. Whether it’s email, browsing history or texts, he educates the public on what they can do to keep their communications private.