General information

HTTPS: It’s Way Past Time-A guest post from TJ Lamanna security summay graphic

Brace for impact. Well, maybe not impact, but phone calls and emails to be sure. Google announced that in July 2018 they will be flagging all non-HTTPS sites as insecure, which means your patrons are going to get a warning whenever they try to access your site. And for roughly 90% of public U.S. libraries, this is going to be the case. That’s right, according to my latest statistics only 1620 out of 16221 public libraries in the U.S. use HTTPS for their websites (catalogs are a beast of a different color). U.S. libraries are trailing tremendously on the national average, and for a group that lauds themselves as bastions of privacy, we need to do better. For instance, the graphics below show the average for Alexa’s list of most popular websites [Fig. 1]. I use SSLLabs reports both to look at trends and run audits, you can do so yourself at There you can audit your server, browser, or use Pulse to check out current trends and see how we’re stacking up.

Another great source of information is Let’s Encrypt’s Stat page [Fig. 2] which gives clear and accurate trend information, not just for the U.S. but globally. There has been a massive uptick in certs since Janurary of last year, with the U.S. going from about 50% to close to 80%! And this is compared to U.S. libraries hovering under 10%. There is no clear reason why this is, and it’s something easily remedied. I’m hoping this post and upcoming articles and webinars will help boost those numbers. The bulk of my information on https protocols in U.S. public libraries comes from, so please, go there and check out your library. If your information is not accurate, please let me know so we can update it and get a better reflection!

The question is, why now? Why is Google pushing this now? Well, Roger Montti lays it out fantastically in his article Google Engineer Lists 4 Powerful Reasons Why Sites Should Upgrade to HTTPS, but to summarize, he lists four main reasons:

  • HTTPS is Not Just About Google – this standard aims to benefit everyone, and it’s not Google that started it, but their push, since they are a massive company has brought it more to the forefront, but groups have been pushing it since 1994 when Netscape start creating the SSL protocol (they are now the Mozilla Foundation).
  • HTTPS Enables a Trouble Free Internet – I want to be clear, it enables, but in no way guarantees a trouble free internet, but it does help. A lot. This standard lays a foundation that even better security can be built on.
  • HTTPS Enables Browser Service Workers – as more and more apps are developed we rely more on API’s to help keep the internet moving, and this needs explicitly safe protocols. With more information being transmitted, these protocols are essential.
  • The Internet Should Be Safe – This may seem intuitive, but it’s a foundational principle to the internet. You should feel safe and secure when you use the internet, and HTTPS goes a long way to both help secure the internet and build the public trust.

So, if you don’t want your staff spending all their time assuring patrons that your site is secure (and if you’re not using HTTPS, you’ll be lying to them), now is the time to make the switch. And honestly, it’s pretty easy. If your site is hosted by your state library, contact them immediately and ask them to enable HTTPS for your site! There might be some hiccups with what we called mixed media, which are URL’s that point to unsecure sites that are embedded on your page, but that’s far better than sending everything as clear text! If you’re hosting your own site, it’s a little trickier than just picking up the phone, but not that much more difficult. I cannot recommend enough the good people at Let’s Encrypt and the amazing work they do. Most hosting sites make it easy (and almost all are free) to enable HTTPS for your site. I personally use Heroku for a lot of light-weight and quick-deploy sites and it’s just the click of a button to do it. If you’re hosting in-house let your I.T. staff know they need to get on this immediately.

Implementing an SSL certificate isn’t difficult and I can recommend Mike Robinson’s posts on implementing certs on Library OPACs and API Servers, which can be found here and here. I understand that this can be quite daunting, especially if you haven’t done something like this before, but there are organizations and walkthroughs that can get even those most novice of web admins going quickly and easily.

Most libraries don’t seem to be hosting their own sites, which adds an additional layer of difficulty (or ease depending on who’s hosting it). For instance, if your township administrates your site, they will most likely be adding a certificate, just make sure they add one for the library domain! They’ll most likely want to keep the township sites information secure, especially if they solicit questions from the community. If you’re hosted, and paid a vendor to create your site you should contact them and let them know you want an SSL certificate added to your domain. If you do it in house, but aren’t confident in your ability to add it yourself, Let’s Encrypt is a valuable tool I cannot recommend highly enough.

This post isn’t meant to be alarmist, but forewarned is forearmed, and I’m not going to delve into the details on how to deploy it, but I’m always happy to chat and give you a hand if you want. You can find me on Twitter @paraVestibulum or email me: