Sensitive student data at risk on top college websites

Digital attackers are increasingly turning their sights on universities, and often they find relatively easy prey.

Colleges are attractive targets because they keep a significant amount of data from students' personal information such as contact information, financial records, health records, and Social Security numbers.

In one of the most glaring recent examples, some 80,000 students of the California State University system had personal data exposed in an early September breach. Cal State has plenty of company, too. In July, Harvard revealed that it was the victim of a digital attack. And, in the same month, the hacktivist group known as GhostShell repeated claims that it stole data from scores of colleges and universities.

But even though universities have to do more to secure their communities' data, Passcode found that the majority of schools tested fail to enable the latest online safeguards that many experts say is needed to secure transmission of student data via the Web.

Using the website encryption analysis tool SSL Labs, Passcode analyzed sites for the eight Ivy League schools and top eight public schools as ranked by US News & World Report to determine which schools employ HTTP Strict Transport Security (HSTS), a security measure that ensures students connect only to secure versions of their school's site.

What is HSTS?

When "HTTPS" is displayed in the URL bar, it means users have a secure, encrypted connection to the website that can prevent intrusions such as a man-in-the-middle attack, in which third parties intercept a visitor's Web traffic and can capture sensitive data such as passwords or credit card information.

HSTS is a fairly recent security measure that websites with HTTPS can enable to make sure visitors connect to the secure version of a site every single time. Without HSTS, Internet users will have to check the URL bar to make sure it says “HTTPS” each time, which can be easy to miss even for those with a trained eye. The catch is that if anything is amiss with the encryption on a site with HSTS enabled, a user won't be able to connect to a site at all. That means there needs to be HTTPS on every page of a domain, which requires significant upkeep.

Many of the most popular Web services, including Gmail, use the HSTS header. Firefox, Google Chrome, Opera, Safari, and Microsoft’s Edge browser all currently support HSTS. But universities lag behind the private sector when it comes to using the latest techniques to safeguard student data. In fact, many college officials aren't even aware of HSTS.

“It’s definitely a significant security issue,” said Jeremy Gillula, a technologist at the digital rights group Electronic Frontier Foundation. 

The lack of HSTS at universities can be problematic because schools often use a single sign-on service that allows its users, such as students, professors, researchers, and contractors, to visit the majority of their online services with one set of login credentials. That means that students and university employees are directed to the same page each time before logging into a variety of services. It's meant to be a convenient solution that relives users from having to remember multiple sets of credentials, which can lead to less secure but easy to remember passwords. 

If an attacker is on the same network as someone at the school, they could potentially hijack the user’s session and redirect the user to an insecure version of the page – one without HTTPS – where the attacker can monitoring the user’s traffic, including any sensitive information transmitted.

It isn’t the worst security issue a site can have, said Ivan Ristic, who designed SSL Labs and authored “Bulletproof SSL and TLS,” but any site that has not enabled the secure protocol is potentially vulnerable to attack. 

"One of the biggest weakness of the current system is that HSTS is not enabled by default," he said. “Without HSTS, anyone can attempt to hijack a [Transport Layer Security] connection with an invalid certificate. In such situations, browsers present their certificate warning page and allow users to click-through to go to the web site, effectively falling victim to the attack.”

Despite affecting a large number of sites, few sites have enabled HSTS. According to Mr. Ristic, under 5 percent of the 150,000 most popular websites use it

Colleges and HSTS

Like many website operators, one of the main reason that colleges and universities aren’t using HSTS is because they aren’t aware it exists. Many also don't have HTTPS on all of their pages, which is necessary before enabling HSTS.

That was the case at Dartmouth College. Steven Nyman, the college’s chief information security officer, said that the college doesn’t feel it is necessary to have HTTPS on pages that do not require transmitting sensitive information. He was unaware of HSTS. 

For many colleges, it isn’t as simple as getting all of their pages secured with HTTPS in order for them to also implement HSTS. Officials at the University of Michigan, Ann Arbor, were familiar with HSTS, but said it was unrealistic for them to implement it because of the decentralized nature of the university. According to Chief Information Security Officer Donald Welch, even having HTTPS on every page would be challenging, especially since some of the pages are student-run.

“Generally speaking, our central information technology organization won’t be one of the first adopters” of HSTS, he said. The university has implemented other security measures to increase their community’s online security, including two-factor authentication for privileged users.

At Columbia University, for example, without HSTS deployed, students could be subject to man-in-the-middle attacks when managing passwords. Columbia recommends that its users changing passwords by first navigating to its insecure homepage and then going to the secure page to change login credentials.

Because the preceding page is insecure, attackers could potentially push the user to an insecure version of the page and swipe their information.  

“[The attacker] could change the links on the insecure version of the page such that they basically wipe out any links to secure versions of pages you might eventually click to,” the EFF's Mr. Gillula said.

Eleanor Templeton, director for strategic communications for Columbia University Information Technology, issued a statement regarding the lack of HSTS at Columbia. 

“Regarding a potential vulnerability that exists across the Internet, CUIT is actively implementing a solution that will prevent this type of attack across the systems we manage," she said in an email. "As with many other IT operations of similar scale in academia and elsewhere, when security issues have been raised they have been reported to appropriate authorities and corrected swiftly.”

As of the time of publication, Columbia had not implemented HSTS.

How students can protect themselves 

Until HSTS is widely adopted, users can protect themselves by installing the EFF’s “HTTPS Everywhere” browser extension. “HTTPS Everywhere” forces a user’s browser to visit only the secure version of a website if a secure version exists. Firefox and Google Chrome support the extension. If users do not have a browser compatible with the extension and the website they visit does not have HSTS, they will need to look for HTTPS in their URL bar whenever submitting sensitive information.

“Even when you’re using ‘HTTPS Everywhere,’ it is a lot to ask of users, but double check that that [HTTPS] is there on any page when you’re plugging in a username and password,” Gillula said. “It’s always good practice, but people can be in a rush and forget. I don’t blame people for being in a rush and forgetting.”