School website security padlock

As with banks and online shops, website hosting for all schools should have strong, encryption based security, as signified by a green padlock.

So say leading experts, who are making this statement not only about school websites but all websites.

Despite what you might be thinking, this has nothing to do wth Ofsted. It comes from a much bigger, more influential and more important global organisation. We are talking about Google.

Google are saying, that for safeguarding reasons. All websites, should operate under a security certificate. And most independant experts agree with them.

Some know this technology as SSL or TLS (Wikipedia). But for the rest of us, web security is about seeing the 'green padlock' next to the address bar of our web browser. We have all seen this symbol on shopping websites, when attending to our online banking or when doing a google search.

When a website is secure, it encrypts any information which travels over the internet. Between the website, it's visitors and the owners of the website. This means that things like credit card details, user names or passwords remain safe. And the same level of privacy is also applied to messages sent via a website's contact form.

Why does this matter for a school?

A school's contact form is one area of concern. Where a parent may wish to communicate with a school about their child. Unless secured, messages sent via any contact form are open to intercept.

Known as a 'man in the middle' attack by hackers. It is where a malicious person inserts him/herself into a conversion between two parties. From here they have the potential to eavesdrop or masquerade as either side.

It isn't necessary to be a high-tech wiz-kid to do this. Anybody sat in the same building or even on public transport, could do this. All it takes is for both parties to be using a common wifi connection.

As for user names and passwords. Unless encrypted, these details often get stolen and then get sold on the dark web. Criminals know that many people use the same details for every website they visit.

This includes high profile destinations such as Amazon, Paypal and Apple. People often trust these organisations with their credit card and bank details. This is why this crime is so common. See where it can lead?

For this reason, many experts now hold the view that all websites should be secure. And not only those which process credit cards.

Google is leading the campaign with it's very popular Chrome browser. And starting this month (January 2017), it will start to alert users to websites which are not secure. 

To start with, this will only be on insecure web pages which ask for credit card details or passwords. But this will expand, in time, to include ordinary web pages. And will culminate with all insecure websites getting a big red triangle.

"This is an important development and it will be reported in the media over coming months". 

In the past, security certificates have been quite expensive to own. They cost anything from £50 to £300 per year, plus the cost of installing, maintaining and renewing them. This cost is usually applied on top of annual hosting fees.

Online retailers accept this expense as a cost of doing business. But many normal website owners, not surprisingly, do not want to carry this overhead.

In common with most other website providers, we have been waiting for prices to come down. And after a long wait, we have now arrived at time, where low-cost security is now a viable thing for a non-commercial website owner.

This is great news, but it doesn't mean that becoming more secure will be without cost altogether. There is still a need to invest in infrastructure and support. And to have systems which will renew the certificates when they expire.

The certification process is not trivial and involves important changes to hosting configurations.  Any reputable provider should be able to do this for you, but it is not easy and most will want to charge an annual fee.

In readiness for the upcoming changes. Easable will apply security certificates to any website provided by ourselves. We will do this for one time fee of just £95. Moreover, there will be no increase to annual maintenance fees relating to certification.


Updated 26th January, 2017

Chrome 56 started to automatically update today.

Unprotected login forms now display a 'Not secure' warning in Chrome's address bar. This warning will apply to pretty much any website which uses a content management system such as Wordpress, Joomla, Web Presence Manager or Drupal.


Updated 17th May, 2017

With the recent ransomware attack that crippled the NHS, the importance of all aspects of digital security are once again brought into sharp focus.

Whilst the NHS problem affected Windows computers which had not been updated, similar such exploits exist for normal websites, including those built with content management frameworks such as Wordpress, Joomla and Drupal. 

At easable.net we take these threats very seriously and have a regular programme of maintenance and security updates which go on quietly in the background, to ensure that website software is always up to date and secure.

To further strengthen this security, we recommend that all school websites have a security certificate, denoted by a green padlock. Such precautions ensure that user names and passwords, remain encrypted when traveling across the internet. And such precautions go a long way to preventing identity fraud, which can enable malicious hackers to access ordinary people's email services and even bank accounts.


Updated 27th March, 2018

Following an observation by one of our school customers, I was reminded today that not every website has gotton around to applying a security certificarte to their website.

As the article below explains, Google will be applying the final stages of the 'outing' strategy in July and will be labelling insecure websites as such in their Chrome browser

https://techcrunch.com/2018/02/08/chrome-will-soon-mark-all-unencrypted-pages-as-not-secure/

0 Comments
Dec 26, 2016 By paul.driver