Sensible talk about HTTPS

https showing in a browser bar

(this is a slightly amended reprint of an article I wrote for Computers in Libraries magazine in 2016 and I’m putting it here because it’s timely. Original title: Practical Technology – Digital Privacy is Important Too. If something seems inaccurate, let me know.)

This month’s column is amplifying the signal on a movement that has been brewing in the library world: getting libraries to make patron’s digital activities as secure as their lending records. There are a few ways to do this but I’m going to focus on using HTTPS.

You’re probably familiar with the http:// prefix from web addresses. You may not know that it stands for Hypertext Transfer Protocol but you don’t really need to. HTTP is a method of exchanging information, mainly web pages, online. The information that is exchanged goes over the internet in plain text, unencrypted. This is fine if you are just trying to look at a website about caves or bats, but less fine if you are sending passwords, banking information, or other things that you’d prefer to be more secure.

How

Privacy-conscious individuals can use browser plug-ins for Firefox, Chrome or Opera such as HTTPS Everywhere on their own computers which will let them use an encrypted channel for sending information when possible. However if libraries are in the privacy business, shouldn’t we be offering HTTPS to our users as much as possible?

Eric Hellman who runs the popular library blog Go To Hellman has been working with the Library Freedom Project to get libraries to commit to digital privacy by signing the Library Digital Privacy Pledge. Simply put, it asks libraries to commit to using HTTPS to “deliver library services and the information resources offered by libraries.” in 2016.

Historically this has been an endeavor that came with associated costs since purchase of a digital certificate was required to verify the security of the connection. Recently, the Electronic Frontier Foundation has started the Let’s Encrypt project with sponsors like Mozilla and Cisco in order to lower the costs and the technical hurdles involved in getting set up with HTTPS.

Last year was the year for HTTPS. The White House made a statement in June of 2015 directing “all publicly accessible Federal websites and web services only provide service through a secure HTTPS connection” by the end of 2016. They have also created a web-friendly version of their memo along with an extended explanation about how and why they created this mandate. On their page entitled “Why HTTPS for Everything?” they explain

Today, there is no such thing as non-sensitive web traffic, and public services should not depend on the benevolence of network operators.

When properly configured, HTTPS can provide a fast, secure connection that offers the level of privacy and reliability that users should expect from government web services.

Why

The big reasoning for pushing for this in libraries is twofold. First privacy is our business. It’s in our professional bill of rights and it’s certainly in all of our marketing materials. The ALA’s Code of Ethics is very clear “We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” That “transmitted” part is the key.

If we say we keep your reading list private, shouldn’t we be able to say the same about your internet browsing habits? Our users are getting their information not just from print materials but from databases that we provide as well as internet connections, and possibly computers, that we offer. If we’re in the privacy business it’s our responsibility to make these channels as secure as possible. This means managing these systems in our own libraries and urging, if not requiring, our vendors to do the same.

Major companies like Google, Twitter and Facebook as well as my employer the Internet Archive, have made the switch recently and if you haven’t really noticed that’s the good news. All major browsers should be able to handle this transition seamlessly. Users have a browsing experience that feels the same, but is much more secure. Libraries can offer their patrons public wifi access and also assure them that the data they send over that wifi isn’t “sniffable” by third parties. This is good PR for libraries.

And this brings us to the second reason, clarity. There are many different ways that internet content tries to make itself look reputable and authoritative. As librarians we’ve seen them all. However, telling a user “Look for the lock icon on the browser.” or “Look for https in the web address.” is a straightforward and simple way to make this additional security clear to users. This can help users resist phishing attempts and give them more confidence when interacting with sites that require their personal information.

Where and When

There are a few steps involved in making this change and some of it is dependent on the IT system the library is using. A very simple first step is contacting the vendors your library does business with and ask them if they use HTTPS and, if not, if they would consider implementing it. OverDrive, EBSCO and Elsevier have already made this change.

The next step is doing an assessment of the web services you offer and look into making the transition. This can be as simple as updating your website and inspecting your internet connection but possibly as complicated as rebuilding some of the code you have been using or looking at your content management system’s tools for implementing HTTPS. Sometimes this can be as simple as using a plugin.

The good news is that the last few years have seen a surge of companies and websites who have been moving to HTTPS so many of the starting points are Googleable. There are also people from the Library Freedom Project willing to help libraries get set up with HTTPS if you simply lack the resources to undertake this project on your own.

This pledge is also a chance for us to model good behavior for other users who may not understand how packets move across the internet. By showing that we care about their privacy and presenting privacy as a thing to be valued, we can help other people make good decisions about their own web content and internet habits. Join us.

Resources

3 comments for “Sensible talk about HTTPS

  1. 23Oct17 at 9:02

    I just checked, and my library’s regional catalog website supports HTTPS, but the link from the public-facing website is to the plain vanilla HTTP URL. That should be easy enough to fix, but really the server should redirect non-encrypted requests automatically.

    There is also a mixed content warning keeping the URL lock icon from turning green. That appears to come from header customization assets. So perhaps that would be fixable without needing vendor support.

    Looking through the other network requests, I also see one from something called AppDynamics. It’s served over HTTPS and my browser’s PrivacyBadger plugin doesn’t block it by default (it’s not setting a cookie), but it does complicate the “HTTPS == privacy” shorthand. It just means I am trusting a third party not to observe my catalog searches, which I’m okay with.

  2. jessamyn
    23Oct17 at 3:58

    Hey this is timely because I am going to NYLA (conference for NY librarians) and I can mention this.

    And it’s ironic because my web host doesn’t handle HTTPS yet.

  3. Sanjeev Nanda
    30Oct17 at 4:28

    It cleared my doubts about HTTPS and I am feeling a lot more knowledgebale right now. Thanks a lot for the informatiom.

Comments are closed.