New encryption alerts on your catalog

New encryption alerts on your catalog

Is your public catalog encrypted? If it’s not, you may be affected by some January 2017 changes to the two most used browsers (Firefox and Chrome). Without encryption, your patrons’ logins and other sensitive data are going over the Internet in clear text. That means the information can be sniffed by hackers or fraudsters. Also anything that your catalog displays to logged-in patrons, like address, email, birthdate, circ history, etc, is open to sniffing. In some states, transmitting any personal information of minors is illegal.

Here’s an analogy from R & R Web Design: “Having an insecure page is similar to sending a postcard through the mail. Anyone can see and potentially manipulate the data.” And Eric Mill, of 18F, explained that using encryption is like sending “a locked briefcase through the mail that only you and a recipient can unlock.”

These changes to Firefox and Chrome are designed to draw attention to login pages that are not encrypted. So your patrons may begin to complain when they see it. Exposing patron data to the world is still bad practice (bordering on malfeasance). That has not changed. What has changed is that the lack of encryption will be more apparent to patrons.

Examples of what your patrons may see to complain about

What to do?

If your ILS is hosted, contact your ILS provider and demand that all pages, patron and staff, be encrypted. And/or you might consider changing to a different ILS company; one that would never let you get into a spot where you are basically publishing patrons’ personal info and logins to the world. We believe that ILS companies have a fiduciary duty on this and your current ILS has let you down.

If your ILS is on a server in your library, you or your IT staff will likely need to make the upgrade. This article might help with the process as well as obtaining a certificate (which is required for encrypting). And for your certificate, check out the Let’s Encrypt consortium. It’s a highly regarded certificate authority that aims to help make all websites encrypted. It is a free, automated, and open certificate authority.