HTTPS: It's Way Past Time

An eye looks out from a field of binary code

Editor's introduction: By July this year, websites that are not encrypted with web addresses that begin with HTTPS will get a "not secure" label in their address bar by the most popular web browser, Google Chrome. Using HTTPS means that your users' web activity is only visible by the people operating your website. Even if someone intercepts your web traffic, it would be scrambled. To encrypt your website, you need to install an SSL certificate, or even better, a TLS certificate on it. Find out more on how your library can upgrade to TLS. Here is a great article on the state of libraries and HTTPS by T.J. Lamanna. This piece was originally published on Medium and is reprinted here by permission of the author.

Ninety Percent of Library Websites Are Not Encrypted

Brace for impact. Well, maybe not impact, but phone calls and emails to be sure. Google announced that in July 2018 they will be flagging all non-HTTPS sites as insecure. This means that your patrons are going to get a warning whenever they try to access your site. And for roughly 90 percent of public U.S. libraries, this is going to be the case. That's right, according to my latest statistics, only 1,620 out of 16,221 public libraries in the U.S. use HTTPS for their websites (catalogs are a beast of a different color). U.S. libraries are trailing tremendously on the national average. For a group that lauds ourselves as bastions of privacy, we need to do better.

The graphic below shows the average for Alexa's list of the most popular websites. I use SSLLabs reports both to look at trends and to run audits; you can do so yourself at SSLLabs.com. There you can audit your server or browser or use Pulse to check out current trends and see how you're stacking up.

Monthly Scan: February 04, 2018 - SSL Security Summary - Pie chart showing 65.5% secure sites. Total sites surveyed: 135,004. Inadequate security: 46,568. Secure sites: 88,436.

Another great source of information is Let's Encrypt's Stat page, which gives clear and accurate trend information, not just for the U.S. but globally. See the chart below. There has been a massive uptick in certs since January of last year. The U.S. went from about 50 percent to close to 80 percent! And this is compared to U.S. libraries, which have hovered under 10 percent. There is no clear reason why this is, and it's something that is easily remedied.

Percentage of Web Pages Loaded by Firefox Using HTTPS - 14 Day moving average, source: Firefox Telemetry - Chart shows that there has been a massive uptick in certs since January of last year. The U.S. went from about 50 percent to close to 80 percent of pageloads using HTTPS

I'm hoping this post and upcoming articles and webinars will help boost those numbers. The bulk of my information on the HTTPS protocol in U.S. public libraries comes from librarytechnology.org, so please go there and check out your library. If your information is not accurate, please let me know so we can update it and get a better reflection!

Why Now?

Why is Google pushing this now? Well, Roger Montti lays it out fantastically in his article Google Engineer Lists 4 Powerful Reasons Why Sites Should Upgrade to HTTPS. To summarize, he lists four main reasons.

  • HTTPS is not just about Google : This standard aims to benefit everyone. it's not Google that started it, but their push, since they are a massive company, has brought it more to the forefront. Groups have been pushing it since 1994, when Netscape start creating the SSL protocol (they are now the Mozilla Foundation).
  • HTTPS enables a trouble-free Internet : I want to be clear: it enables, but in no way guarantees a trouble-free Internet. It does help, though. A lot. This standard lays a foundation that even better security can be built on.
  • HTTPS enables browser service workers:  As more and more apps are developed, we rely more on APIs to help keep the Internet moving, and these need explicitly safe protocols. With more information being transmitted, these protocols are essential.
  • The Internet should be safe:  This may seem intuitive, but it's a foundational principle to the Internet. You should feel safe and secure when you use the Internet, and HTTPS goes a long way to both help secure the Internet and build the public trust.

How to Encrypt Your Website

So, if you don't want your staff spending all their time assuring patrons that your site is secure (and if you're not using HTTPS, you'll be lying to them), now is the time to make the switch. And honestly, it's pretty easy. If your site is hosted by your state library, contact them immediately and ask them to enable HTTPS for your site! There might be some hiccups with what we call mixed media, which are URLs that point to unsecure sites that are embedded on your page. But that's far better than sending everything as clear text!

If you're hosting your own site, it's a little trickier than just picking up the phone, but not that much more difficult. I cannot recommend enough the good people at Let's Encrypt and the amazing work they do. Most hosting sites make it easy to enable HTTPS for your site, almost always for free. I personally use Heroku for a lot of lightweight and quick-deploy sites, and it's just the click of a button to do it. If you're hosting your website in-house, let your IT staff know they need to get on this immediately.

Resources for Implementing Website Encryption

Implementing an SSL certificate isn't difficult and I can't recommend enough Mike Robinson's posts on implementing certs on library OPACs and API servers. I understand that this can be quite daunting, especially if you haven't done something like this before, but there are organizations and walkthroughs that can get even those most novice of web admins going quickly and easily.

Most libraries don't seem to be hosting their own sites, which adds an additional layer of difficulty (or ease depending on who's hosting it). For instance, if your township administrates your site, they will most likely be adding a certificate. Just make sure they add one for the library domain! They'll most likely want to keep the township sites' information secure, especially if they solicit questions from the community.

If your website is hosted, and you have paid a vendor to create your site, you should contact them and let them know you want an SSL certificate added to your domain. If you do it in-house, but aren't confident in your ability to add it yourself, Let's Encrypt is a valuable tool.

This post isn't meant to be alarmist, but forewarned is forearmed. I'm not going to delve into the details on how to deploy HTTPS, but I'm always happy to chat and give you a hand if you want. You can find me on Twitter @paraVestibulum or email me at professionalirritant@riseup.net.

About the Author

T.J. LamannaT.J. Lamanna is the emerging technologies librarian at the Cherry Hill Public Library in Cherry Hill, New Jersey. He's currently the chair of the New Jersey Library Association's Intellectual Freedom Committee and well as serving on the American Library Association's Privacy Subcommittee though the Office of Intellectual Freedom, where he focuses on the intersection of privacy and free access to information.