Has HTTPS adoption reached the tipping point

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Has HTTPS adoption reached the tipping point

Cambre, Aren

Noted computer security expert Troy Hunt says HTTPS adoption has reached the tipping point: https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/

 

What’s holding us back?

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 



You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Has HTTPS adoption reached the tipping point

Paul Bradley-2

Aren,

 

A disclaimer, a couple of observations and three questions for the wider audience.

 

The disclaimer: our company is not in the security business, but we do care about trust and privacy, so we follow the HTTPS ‘debate’ closely.

 

Observations

 

We wrote a blog post about two weeks ago in which we published some stats on HTTPS adoption by Canadian, UK and US higher education websites: 17.9%, 22.2% and 14.0% respectively.

 

As the Troy Hunt post indicates the roll out of Chrome browser updates through 2017 will increasingly highlight “insecure” HTTP connections with URL bar warnings. 

 

At first, only pages with password or credit card entry over HTTP will attract the “Not Secure” message. Eventually, Chrome will show a Not Secure warning for any HTTP connections. With relatively low HTTPS adoption rates, higher education website users will see plenty of warnings.

 

As the Qantas example in Troy’s post shows, the Chrome roll out has started. Here’s a further example of the warning from a Canadian university website (and not as readily found), captured on January 31, 2017 (domain name obscured to save a few blushes):

 

Questions

 

Our working assumption is that HTTPS adoption is a strategic matter. An issue of trust and privacy: website users should know that their browsing activity is private.

 

Is higher education’s relatively slow adoption of HTTPS because it is seen as a technical rather than strategic issue? Or is it about perceived cost? (see Let’s Encrypt for free SSL certificates).

 

Why don’t more higher education HTTPS adoptees go further and implement EV certificates?

 

Regards,

 

Paul Bradley

 

Twitter:        @OnCoFo

Blog:              Show Me The Data

Website:       eQAfy

LinkedIn:     Paul Bradley

Phone:          <a href="tel:+1%20416%20464%209771" title="North America Contact Number">+1 416 464 9771 | <a href="tel:+44%2020%203290%203573" title="Europe Contact Number">+44 20 3290 3573 

 

 

 

 

From: "Cambre, Aren" <[hidden email]>
Reply-To: <[hidden email]>
Date: Wednesday, 1 February 2017 at 08:59
To: "[hidden email]" <[hidden email]>
Subject: [uwebd] Has HTTPS adoption reached the tipping point

 

Noted computer security expert Troy Hunt says HTTPS adoption has reached the tipping point: https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/

 

What’s holding us back?

 

mage001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 

You are currently subscribed to [hidden email]. To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot



You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Has HTTPS adoption reached the tipping point

Cambre, Aren

“Is higher education’s relatively slow adoption of HTTPS because it is seen as a technical rather than strategic issue?”

 

While important, web is not “line of business”-level criticality for most higher eds as it would be for, say, online retail companies. That supports the “it’s just a technical issue” mindset.

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 

From: Paul Bradley [mailto:[hidden email]]
Sent: Wednesday, February 1, 2017 9:35 AM
To: [hidden email]
Subject: Re: [uwebd] Has HTTPS adoption reached the tipping point

 

Aren,

 

A disclaimer, a couple of observations and three questions for the wider audience.

 

The disclaimer: our company is not in the security business, but we do care about trust and privacy, so we follow the HTTPS ‘debate’ closely.

 

Observations

 

We wrote a blog post about two weeks ago in which we published some stats on HTTPS adoption by Canadian, UK and US higher education websites: 17.9%, 22.2% and 14.0% respectively.

 

As the Troy Hunt post indicates the roll out of Chrome browser updates through 2017 will increasingly highlight “insecure” HTTP connections with URL bar warnings. 

 

At first, only pages with password or credit card entry over HTTP will attract the “Not Secure” message. Eventually, Chrome will show a Not Secure warning for any HTTP connections. With relatively low HTTPS adoption rates, higher education website users will see plenty of warnings.

 

As the Qantas example in Troy’s post shows, the Chrome roll out has started. Here’s a further example of the warning from a Canadian university website (and not as readily found), captured on January 31, 2017 (domain name obscured to save a few blushes):

 

Questions

 

Our working assumption is that HTTPS adoption is a strategic matter. An issue of trust and privacy: website users should know that their browsing activity is private.

 

Is higher education’s relatively slow adoption of HTTPS because it is seen as a technical rather than strategic issue? Or is it about perceived cost? (see Let’s Encrypt for free SSL certificates).

 

Why don’t more higher education HTTPS adoptees go further and implement EV certificates?

 

Regards,

 

Paul Bradley

 

Twitter:        @OnCoFo

Blog:              Show Me The Data

Website:       eQAfy

LinkedIn:     Paul Bradley

Phone:          <a href="tel:&#43;1%20416%20464%209771" title="North America Contact Number">+1 416 464 9771 | <a href="tel:&#43;44%2020%203290%203573" title="Europe Contact Number">+44 20 3290 3573 

 

 

 

 

From: "Cambre, Aren" <[hidden email]>
Reply-To: <[hidden email]>
Date: Wednesday, 1 February 2017 at 08:59
To: "[hidden email]" <[hidden email]>
Subject: [uwebd] Has HTTPS adoption reached the tipping point

 

Noted computer security expert Troy Hunt says HTTPS adoption has reached the tipping point: https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/

 

What’s holding us back?

 

mage001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 

You are currently subscribed to [hidden email]. To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot



You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Has HTTPS adoption reached the tipping point

Paul Kelly
In reply to this post by Cambre, Aren
We switched the University of York website (york.ac.uk) to be available only over HTTPS just earlier this week. 

For us it was something that we and our IT colleagues had talked about doing for years, but it was always seen as something that was important, but not that urgent, so frequently got bumped down the list behind other projects. 

When it finally came to doing it, a lot of the legwork was in finding and fixing content and applications that contained hardcoded HTTP references for Javascript, iframes, form submissions, etc - so that they wouldn't throw security warnings (or completely fail to work) when the switch to HTTPS took place.

There's a useful post on The Guardian's developer blog about both the editorial and technical challenges they faced when they went to HTTPS, many of which would equally apply to any large university website: https://www.theguardian.com/info/developer-blog/2016/nov/29/the-guardian-has-moved-to-https

Paul


On 1 February 2017 at 13:59, Cambre, Aren <[hidden email]> wrote:

Noted computer security expert Troy Hunt says HTTPS adoption has reached the tipping point: https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/

 

What’s holding us back?

 

image001

Aren Cambre, D.Eng., '99, '03, '14
Director, Web Application Services
Office of Information Technology
Southern Methodist University

 

 




--
Paul Kelly
User Experience and Design Officer
Strategic Marketing and Digital Communications, University of York
[hidden email] | 01904 324578

Find out what we're working on: Team blog | @UoYDigital on Twitter

CMS and web content help: Web CMS guide[hidden email] | 01904 324127


You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Has HTTPS adoption reached the tipping point

Bauserman, Andrew A
In reply to this post by Cambre, Aren
Speaking for myself & not my employer...

What's holding us back? Inertia. "If it ain't broke, why fix it?"

Google can be heavy-handed – but I'm generally a supporter. They force us to improve. Otherwise, until someone inserts malicious images (or cable providers insert tracking cookies and advertisements?) onto our pages, we don't seem to care :(

Most of our servers support (but don't require) TLS/https. We generally test that code works either way. Flipping the switch on those servers won't be a problem. Any server supporting login should already be forcing TLS/https. Even so, there are always stragglers that didn't get the memo (yeah, right).

I'm definitely on the "TLS always" side of the fence, and thank Google for another bullet point to make my case. As always, YMMV...

--
Andrew Bauserman
University Web & Design
William & Mary



You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Has HTTPS adoption reached the tipping point

Piero Tintori
On a related note, are any of you considering moving to support HTTP / 2.0 any time soon?

-----Original Message-----
From: Bauserman, Andrew [mailto:[hidden email]]
Sent: 02 February 2017 15:01
To: [hidden email]
Subject: [uwebd] Re: Has HTTPS adoption reached the tipping point

Speaking for myself & not my employer...

What's holding us back? Inertia. "If it ain't broke, why fix it?"

Google can be heavy-handed - but I'm generally a supporter. They force us to improve. Otherwise, until someone inserts malicious images (or cable providers insert tracking cookies and advertisements?) onto our pages, we don't seem to care :(

Most of our servers support (but don't require) TLS/https. We generally test that code works either way. Flipping the switch on those servers won't be a problem. Any server supporting login should already be forcing TLS/https. Even so, there are always stragglers that didn't get the memo (yeah, right).

I'm definitely on the "TLS always" side of the fence, and thank Google for another bullet point to make my case. As always, YMMV...

--
Andrew Bauserman
University Web & Design
William & Mary


------
This email has been scanned for spam and malware by The Email Laundry.




You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Has HTTPS adoption reached the tipping point

Tommy McGahee
In reply to this post by Cambre, Aren
We’re moving all of our web environments to HTTPS by the end of this year. We are playing catchup and it is waaaaaaay past time for everyone to make the switch.


Tommy McGahee
Web Developer
University System of Georgia
[hidden email]
706 583 2100

On 2/2/17, 10:27 AM, "Piero Tintori" <[hidden email]> wrote:

    On a related note, are any of you considering moving to support HTTP / 2.0 any time soon?
   
    -----Original Message-----
    From: Bauserman, Andrew [mailto:[hidden email]]
    Sent: 02 February 2017 15:01
    To: [hidden email]
    Subject: [uwebd] Re: Has HTTPS adoption reached the tipping point
   
    Speaking for myself & not my employer...
   
    What's holding us back? Inertia. "If it ain't broke, why fix it?"
   
    Google can be heavy-handed - but I'm generally a supporter. They force us to improve. Otherwise, until someone inserts malicious images (or cable providers insert tracking cookies and advertisements?) onto our pages, we don't seem to care :(
   
    Most of our servers support (but don't require) TLS/https. We generally test that code works either way. Flipping the switch on those servers won't be a problem. Any server supporting login should already be forcing TLS/https. Even so, there are always stragglers that didn't get the memo (yeah, right).
   
    I'm definitely on the "TLS always" side of the fence, and thank Google for another bullet point to make my case. As always, YMMV...
   
    --
    Andrew Bauserman
    University Web & Design
    William & Mary
   
   
    ------
    This email has been scanned for spam and malware by The Email Laundry.
   
   
   




You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Has HTTPS adoption reached the tipping point

Smith, Brian J-2
We're going to switch at some point. We're just in the research phase now though.

Brian Smith
Web Flunky
UAlbany

-----Original Message-----
From: Tommy McGahee [mailto:[hidden email]]
Sent: Thursday, February 02, 2017 10:47 AM
To: [hidden email]
Subject: Re: [uwebd] RE: Has HTTPS adoption reached the tipping point

We’re moving all of our web environments to HTTPS by the end of this year. We are playing catchup and it is waaaaaaay past time for everyone to make the switch.


Tommy McGahee
Web Developer
University System of Georgia
[hidden email]
706 583 2100

On 2/2/17, 10:27 AM, "Piero Tintori" <[hidden email]> wrote:

    On a related note, are any of you considering moving to support HTTP / 2.0 any time soon?
   
    -----Original Message-----
    From: Bauserman, Andrew [mailto:[hidden email]]
    Sent: 02 February 2017 15:01
    To: [hidden email]
    Subject: [uwebd] Re: Has HTTPS adoption reached the tipping point
   
    Speaking for myself & not my employer...
   
    What's holding us back? Inertia. "If it ain't broke, why fix it?"
   
    Google can be heavy-handed - but I'm generally a supporter. They force us to improve. Otherwise, until someone inserts malicious images (or cable providers insert tracking cookies and advertisements?) onto our pages, we don't seem to care :(
   
    Most of our servers support (but don't require) TLS/https. We generally test that code works either way. Flipping the switch on those servers won't be a problem. Any server supporting login should already be forcing TLS/https. Even so, there are always stragglers that didn't get the memo (yeah, right).
   
    I'm definitely on the "TLS always" side of the fence, and thank Google for another bullet point to make my case. As always, YMMV...
   
    --
    Andrew Bauserman
    University Web & Design
    William & Mary
   
   
    ------
    This email has been scanned for spam and malware by The Email Laundry.
   
   
   





You are currently subscribed to [hidden email].
To unsubscribe send an email to [hidden email] with the subject line unsubscribe uwebd. Leave the message body blank. If you experience problems, contact list owner Eric Kreider at [hidden email]. More information is available at: http://www.uakron.edu/webteam/university-web-developers.dot




Loading...