Tracking: EDU

Part II: Secure Browsing

Browsing websites via the insecure HTTP protocol allows third-parties to track what pages you view, the information you send online, to inject and deliver malware to users computers, and even to modify the content of the websites you are viewing. It is for this reason that leading internet security authorities have long championed that all websites use the HTTPS protocol by default.

The ‘S’ in HTTPS stands for security and its implementation by website owners—along with other necessary steps—is leading to a safer and more secure browsing experience for visitors. A related ancillary benefit of HTTPS is that it helps websites to load more quickly.

Better security, increased privacy protections, malware protection, an assurance that website visitors are viewing the intended content (and not content modified by malicious third-parties), and faster website loading: what’s not to like?

“All browsing activity should be considered private and sensitive.“

– Tony Scott, Federal Chief Information Officer (Executive Order M-15-13), June 8, 2015

Who are some of the parties committed to better securing website browsing?

The federal government committed to providing HTTPS protections for all of the websites they manage.
The Freedom of the Press Foundation committed to securing the world’s largest online news sites.
As of October 2017, Google’s Chrome browser began to showing the “Not secure” warning when users enter any data on an HTTP page, as well as on all HTTP pages visited via the browser’s Incognito mode:

Thanks to these and related efforts, the shift to more secure internet browsing is well-underway. For instance, this graph shows the percentage of web pages loaded by Firefox using HTTPS over the last 14 days. It shows that over 60 percent of all such requests were loaded over secure HTTPS (not HTTP). Indeed, the goal of encryption by default on the web appears within reach.

Given this context, do we believe that state and local education agency websites should also be taking these steps with their own websites? Is this a reasonable expectation?

The short answer is: yes.

Analyzing Education Agency Websites

The standard for state and local (school district) education agency websites should be the same that exists for all web traffic: all communications between users and websites should be secured. This standard serves to protect both education agencies and users of their websites.

While previous research by Bill Fitzgerald and colleagues has investigated the rate of select secure browsing adoption practices by educational technology vendors, this study is focused on the security practices of state and local education websites themselves.

This study’s sample included every state department of education website (including the District of Columbia), as well as 159 unique school district websites (comprised of members of the Council of Great City Schools, Digital Promise’s League of Innovative Schools, and participants in the Consortium for School Networking’s Trusted Learning Environment Seal initiative).

A variety of independent, third-party tools exist to automate the evaluation of website security practices. This analysis of state and district education websites—conducted in October 2017—relied on results from Observatory (by Mozilla). Observatory evaluates website security via a transparent methodology and allows the simultaneous evaluation of websites by other popular tools, such as those offered by SSL Labs. Every website in the sample was also reviewed manually to verify automated test results via the Chromium Browser (Version 61.0.3163.100 [Official Build], running on Ubuntu 17.04 [64-bit]).

Findings: State Department of Education Websites

NOT SECURE: Over one-half (26) of state departments of education make no attempt to secure communications with their websites, actively redirect website users to insecure connections, or have configuration errors that break website security.
- No HTTPS support is offered in 12 states, including Arkansas, Connecticut, Kansas, Maryland, Mississippi, Nevada, New Mexico, Oklahoma, Rhode Island, Vermont, Virginia, or Washington.
- 5 states actively redirect visitors from secure to insecure connections, including Arizona, Florida, New Jersey, New York, and Oregon.
- 6 states do not direct users by default to their secure site (perhaps because of mis-configurations that break HTTPS security on their ‘secure’ site), including: Alabama, Idaho, Louisiana, Maine, Michigan, and Minnesota.
- 3 states have errors in the certificates that guarantee the security of website connections, including Massachusetts, North Carolina, and Pennsylvania.

Retrieved from https://www.doe.mass.edu/ on January 25, 2018.

MIS-CONFIGURED SECURITY: 8 state departments of education have taken partial steps to secure communications with their websites, but due to configuration errors will leave many (if not most) users communicating over insecure connections. The states that offer partially secure HTTPS security, but do not direct users by default to their secure site include: Colorado, Georgia, Hawaii, Montana, Ohio, South Dakota, Tennessee, and West Virginia.
PARTIALLY SECURE: Only one-third of state department of education websites offer partial security to all of their users (meaning that users’ browsers will routinely display a ‘secure’ lock in the browser navigation bar). In every one of these 14 cases, however, each of these state department of education websites is still in need of improvement and reporting potentially significant vulnerabilities. According to independent, third-party tests, four state department of education websites in particular – Iowa, Kentucky, Texas, and South Carolina – each fall short of best practices in particularly significant (and even potentially dangerous) ways.

Findings: School District Websites

NOT-SECURE: Over 43 percent (69) of the 159 unique school districts in the study sample make no attempt to secure communications with their websites, actively redirect website users to insecure connections, or have configuration errors that break website security.
- No HTTPS support is offered by 9 school districts in the sample. Another 15 school districts direct users attempting to reach secure websites to broken or non-functional web pages.

Retrieved October 20, 2017.

- 8 districts actively redirect visitors from secure to insecure connections
- 6 school districts do not direct users by default to their secure site (perhaps because of mis-configurations that break HTTPS security on their ‘secure’ site).
- 7 school districts have correctly configured their HTTPS sites, but only for those users redirected from their insecure sites. Direct visitors are offered up mis-configured HTTPS sites.
- 24 districts have errors in the certificates that guarantee the security of website connections.
MIS-CONFIGURED SECURITY: 23 school districts (14 percent of the sample) have taken partial steps to secure communications with their websites, but due to configuration errors that do not redirect users to their secure sites will leave many (if not most) users communicating over insecure connections.
PARTIALLY SECURE: 67 school district websites (42 percent of the sample) offer partial security to all of their users (meaning that users’ browsers will routinely display a ‘secure’ lock in the browser navigation bar). In every one of these cases, however, each of these school district websites is still in need of improvement and reporting potentially significant vulnerabilities.

Of note, school district members of the Council of Great City Schools (CGCS) were more likely to demonstrate better website security practices than those who were members of Digital Promise’s League of Innovative Schools or those participating in CoSN’s Trusted Learning Environment (TLE) Seal initiative. Two-thirds of the CoSN TLE school district cohort and nearly 50 percent of district members of the League of Innovative Schools offered no secure way for users to connect to their school district’s website.

In sum, state and local education agency websites appear to be lagging behind other online sites in providing secure browsing protections to their users. Virtually all state and local education agency websites suffer from configuration errors and/or were found to have not implemented a significant number of website security best practices.

Consider that:

Only 9 state department of education websites (of 51) scored better than an ‘F’ grade on Mozilla’s Observatory website security assessment. The highest grade offered to any state department of education website was a ‘C-‘, which was only offered to the Utah State Board of Education.
Only 9 school districts of the 159 in the study sample scored better than an ‘F’ grade on Mozilla’s Observatory website security assessment. The highest grade offered to any school district was a ‘D+’, which was only offered to two school districts.

In the next part, we will examine the presence and use of ad tracking and other online surveillance tools employed by state and district education agency websites.

^^ Home <<Part I: Introduction … Part III: Ad Tracking & Surveillance>>

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.