1 of 22

Why Libraries need HTTPS

Please write questions on cards provided

Jacob Hoffman-Andrews

jsha@eff.org

GPG: E3E2 38BB 9AE1 D022 6B40 0CAD 3CBF 8C99 F1FA F31D

2 of 22

Goal:

Learn enough about HTTPS to make the case to use it on all of your library’s web sites.

3 of 22

What is HTTPS?

4 of 22

In Chrome:

HTTP:

HTTPS:

5 of 22

In Firefox:

HTTP:

HTTPS:

6 of 22

History of HTTPS

Originally used to protect passwords and credit card data.

Technologists later showed it’s necessary for all parts of a web site.

Also, it’s much easier now.

7 of 22

HTTPS Protects

Passwords

Catalog searches

Patron account data

8 of 22

HTTPS Protects Against

ISPs

Other patrons

Mass surveillance

9 of 22

HTTPS Doesn’t

Protect Against

Malware

Spam

Hacking

10 of 22

Why is HTTPS important for libraries?

11 of 22

What’s so hard about HTTPS?

12 of 22

Certificates

Get one from a Certificate Authority.

Used to be expensive, now free.

About 1-3 hours to set up.

Let’s Encrypt will make it easier!

13 of 22

Embedded Content

Images, Javascript, CSS

14 of 22

Mixed Content

When site is HTTPS, but Embedded Content is HTTP, site is not fully safe.

Images

(passive content)

Javascript & CSS

(active content,

blocked by browser)

15 of 22

Fixing Mixed Content

Find and replace http://mylibrary.org with https://mylibrary.org in HTML.

(double check all links before deploying!)

Some databases may need editing too.

Browser console can help diagnose.

16 of 22

Third party mixed content

e.g. http://use.typekit.net/xhz8mgf.js

Often, just change the URL to https://

Sometimes, resource is not available.

Copy locally or use different resource

17 of 22

Performance

No longer an issue.

18 of 22

HTTPS by default

Patrons should automatically get HTTPS site

even if they don’t know to ask.

See federal HTTPS-Only standard:

https.cio.gov

19 of 22

Browser extension for Chrome, Firefox, Firefox for Android, and Opera

Curated list of 14k+ websites that support HTTPS

but don’t make it default.

You can add your library to the list!

20 of 22

You can add your library to the list!

But this is a stopgap. Plan for HTTPS by default.

https://eff.org/https-everywhere

21 of 22

New, free Certificate Authority will automate certificate issuance and install.

Launches week of September 14.

Run by a non-profit, ISRG.

1-3 hours to install -> 5 minutes.

22 of 22

HTTPS and filtering