Universities and colleges are trusted institutions, but visitors to higher education websites are being let down. In a survey of over 200 Canadian university and college websites we found that the majority continue to use insecure HTTP [HyperText Transport Protocol] connections, which expose visitors to the risk of their communications being intercepted or altered. As the US Government's CIO website puts it: "Unencrypted HTTP connections create a privacy vulnerability and expose potentially sensitive information about users ...". All visitors should enjoy the highest levels of access privacy and be able to trust the sites to which they connect. Trust and privacy are particularly important given that visitors access post-secondary education sites from all over the world, including from locations where access to the Internet and what is being accessed is closely monitored.
The solution is to upgrade to HTTPS [HyperText Transport Protocol Secure] connections. And, about 10% of higher education websites have already done so. HTTPS provides encrypted connections to servers and those servers are authenticated, so site visitors can trust the connection. HTTPS allows post-secondary education website visitors to experience the same level of trust and privacy they enjoy with financial institutions, online retailers, Google, FaceBook, Dropbox and other Internet businesses, or readers of this post.
Communication privacy and trust are not technicalities, they are strategic issues. University and college website visitors should be able to visit and know that the pages they browse, the searches they conduct or the personal data they supply to complete forms cannot be intercepted in transit.
We examined the connections to the principal websites of just over 200 post-secondary education institutions operating in Canada. We captured the standard interaction of a browser with the server hosting the website and we determined whether visitors were accessing those sites via HTTPS or via, less secure, HTTP connections. As the first graph shows, about 10% of the sites surveyed had implemented HTTPS. And, to better understand how well HTTPS had been implemented, we used the Qualsys secure server connection test to obtain an implementation rating. The detailed inspection produced mix results for implementation effectiveness, as the second graph illustrates. Our observations about the Qualsys results can be found at the conclusion of this post.
Graph 1: Proportion of Canadian Post-Secondary Education Websites Using HTTPS vs HTTP
We surveyed the main websites 206 post-secondary education institutions operating in Canada to determine which sites used HTTPS. Our testing comprised checking the server response received by a browser and the browser's assessment of any encryption being used to secure the connection. Approximately, 10% of the sites were confirmed as having implemented HTTPS. For the sub-group of sites that have implemented HTTPS we then tested the 'quality' of the implementation. The results of the additional testing are shown in Graph 2. Data updated 2016-03-05 as two additional HTTPS sites brought to our attention.
Graph 2: Qualsys Overall Rating For Sub-group Of HTTPS-enabled Websites
For the 20 sites that reported secure HTTPS connections, we submitted the primary URL to QUALSYS SSL LABS for a third-party assessment of the quality of the HTTPS implementation. We requested that Qualsys not display the urls we submitted for testing in its results tables. One site obtained an A+ rating (our HTTPS server configuration experience confirms that obtaining a high rating can be time consuming). The balance of the sites had relatively minor issues, but a small group had their rating limited to C, due to weaknesses in their server configuration. We highly recommend replicating the Qualsys test, where applicable, and reviewing the detailed results. Data updated 2016-03-05 to include two additional HTTPS sites brought to our attention.