A blog from the Southern Ontario Library Service

HTTPS: Why bother?

Last year around this time, Google adjusted their algorithms to prioritize responsive websites in search results. This year, the tech world is abuzz again, because google is changing it’s algorithms to prioritize sites using https in its search results. We’re looking into moving our site onto https, and not only for this reason. Read on!

What is https and why bother?

“When you use the web, your browser software communicates with a server computer through the internet. The messages back and forth pass through a series of computers (network nodes) that work together to pass messages. Depending on where you and the server are, there might be 5 computers in that chain, or there might be 50, each possibly owned by a different service provider. When a website uses HTTP, the content of these messages is open to inspection by each intermediate computer- like a postcard sent through the postal system, as well as by any other computer that shares a network those computers. If you’re connecting to the internet over wifi in a coffee shop, everyone else in the coffee shop can see the messages, too.

When a website uses HTTPS, the messages between your browser software and the server are encrypted so that none of the intermediate  network nodes can see the content of the messages. It’s like sending sealed envelopes through the postal system.

Your web site and other library services may be sending sensitive patron data across the internet: often bar codes and passwords, but sometimes also catalog searches, patron names, contact information, and reading records. This kind of data ought to be inside a sealed envelope, not exposed on a postcard.”

– From the Digital Privacy Pledge wiki

If you want to learn more about https, the Electronic Fronteir Foundation has published a short article geared towards library staff. 

But we have https on part of our site already? Why do we need it everywhere?

It’s not enough. Hackers have shown exactly how to get around the jump from http to https that you’re asking patron’s browsers to make. They can intercept and redirect; the user never notices. 

It’s safer to have https everywhere.

Will https really make a difference?

“While HTTPS, when properly implemented, is a strong protection against eavesdropping and malicious content insertion during data transmission, there are other ways that attacks can occur. Privacy and security improvements will be an ongoing process. But HTTP has no protections at all against eavesdropping, so HTTPS is a vast improvement.”

– From the Digital Privacy Pledge wiki

How do we move our site to https?

Usually, you’ll need to start with a certificate signed by a recognized authority. These are free at the moment, through Let’s Encrypt. The certificate is used to verify that you are who you say you are. If you are worried your library doesn’t have staff with the technical expertise to implement a certificate, get in touch with the Library Freedom Project. They’ve got volunteers who want to help make this happen for libraries everywhere.

I’ll be writing more on the Pledge soon, but feel free to investigate on your own if you’re curious!