how seriously are UK public libraries taking web security, and how can it be tested?
You want to talk in confidence with someone while in public. To do this you need to:
Perhaps they would show you some ID. You may even shake hands, and in a secret handshake, agree a code to talk in.
Information Technology often uses real-world terminology to describe technical processes. The above situation is played out whenever you visit a website using encrypted communication, preceded with the HTTPS (https://) protocol. This encryption is often described as SSL encryption. The following are all technical terms that relate to this process.
Using encryption on the web has been regarded as essential for login and payment transactions, but is now frequently being used for all online communications.
It's important to assess the requirement for encryption not just in the context of risk to the data involved in that service. Many recent hacks against individuals have been a result of credentials leaked from insecure accounts, used to gain access to more secure services. Facebook CEO Mark Zuckerberg had his Twitter and Pinterest accounts hacked as a result of leaked LinkedIn credentials4. Twitter CEO Jack Dorney and Google CEO Sundar Pichai have had similar experiences. If a service requires login, the likelihood is those credentials will be securing data elsewhere. Protecting them is essential.
In a library context, patron credentials that need protecting are often a user ID and PIN/Password. An individual's library account may then hold information such as email address, house address, date of birth, and even equalities information on an individual. How well do UK library services protect that formation, and ensure security? Logging in to a web catalogue should only be offered over a good standard of encryption. Anything else would compromise that organisation's credibility to store personal data.
However, encryption is not just a yes/no. Getting it right means addressing at least the following situations:
|Only HTTP and no HTTPS||Sites that offer no encryption at all.|
|HTTP and HTTPS (Mixed Content)||Sites where there is a mix of HTTPS/HTTP content on a page (for example the page may include an image with an HTTP URL). The URL in the web browser will appear to be HTTPS, but the browser is less likely to show the site as secure (e.g. padlock, and green address bar).|
|HTTPS (Allows HTTP)||Sites that offer encrypted login but it isn't enforced. For example, a link could be shared that mistakenly used an HTTP address. Sites should enforce the use of encryption if it is available.|
|HTTPS (vulnerable)||Sites that offer encryption but there could be issues with the implementation, or the certificate. Browsers can offer some indication of this quality (such as a 'full green bar'), but more advanced checks are available.|
|HTTPS (good)||Sites that have a high quality implementation of encryption.|
Current UK public web catalogues are shown below, with an indicator as to whether HTTPS is available, and any issues if so. This does not give full details of security vulnerabilities, and it's advised services do their own checking. If any further guidance is needed in doing this please get in contact.
The majority of these can be tested simply by visiting the site, but for further methodology see what to do suggestions below.
This post will be updated regularly to reflect changes. All of the library services with seriously failing standards were contacted with Freedom of Information requests to ask what they were doing to address the securty concerns. Some responded by installing certificates, some did nothing, and others have waited until future system changes.
Are you part of a local authority? Firstly try to ensure your IT department include the web catalogue in any annual penetration tests as part of their PSN accreditation. Not only will the tests be carried out by external, accredited professionals, but negative results will be dealt with urgently. For those library services that are outsourced from the local authority, this is not a reason to not have strict IT security standards. The same tests should be completed on an annual basis.
Some basic testing of web security doesn't need experienced penetration testers (sometimes known as ethical hackers). The following steps can be undertaken: