SSL, TLS-Security

Developers of applications for open access publishing and repositories are aware that the users will have sometimes very long interactive sessions while doing their work.

Author may spend considerable time while uploading his submission, completing metadata forms, checking various criteria such as copyright policy, privacy policy, conflict of interests, exchanging messages with editor and reviewers. After acceptance of submission author selected as principal contact person may need to realize the payment of submission fee through open access publishing web application. High level of security is needed for the payment especially having in mind that money transferred is sometimes part of the project budget given by some donor, ministry or (inter)state agency. Reviewers may spend a lot of time writing their reviews, completing review form. Readers and librarians may spend a lot of time being logged in while reading, paying subscription, collecting metadata of articles related to some specific topic. The journal secretaries, subscription managers may need to upload data on the user’s payments or information that should be private. Editors may spend a long time checking reviews, respect of privacy concerns that may be important for various supplementary files (predominantly valid in humanities, medicine, health science) various preview and review discussions, communications from the journal management on subscription and submission fee financial statements.

During the interaction various bad things can happen. Passwords may be stolen, credit card numbers can be stolen and later used for illegal purposes, malicious code can be injected and server used for various illegal purposes. Risk of that is higher if the user’s computer is infected and not properly maintained, cleaned and if it is used irresponsibly.

Security measures are not invented only for military, police and special purpose computers. Security should be principle not optional feature. The system administrators should take prevention measures seriously and help editorial boards, librarians and other organizations and persons while preparing their projects for open access publishing and repositories. We cannot control who will at some point try to intercept our interaction with web application and perform activities that may do damage to our work and work of many other scholars, scientists, general public. CrossRef and some other organizations involved in open access publishing especially if the payments are being realized using web platform required implementation of security standards in web applications. Several editors told me that they are requested to put “s” after “http” and add icon of green padlock there.

green padlock and https

Letter “s” after http means that http (Hypertext Transfer Protocol) is secure.  HTTPS is extension of HTTP. Green padlock is a small icon which is put there after performing various checks whether content and communication on respective site is secure. Many companies, international organizations gathering IT security scientists and engineers dedicated considerable amount of time and resources to establish standards, technologies, protocols and software tools to make internet communications secure and check level security.

Many people use term SSL for all security measures although, strictly speaking SSL stands for Secure Sockets Layer. SSL was the standard security technology for establishing an encrypted link between a web server and the users’ browser. The link protected by SSL ensures that all data passed between the web server and browsers remain private and integral. SSL technology was furthermore developed and after version 3.0 new technologies are being used. The Inernet Engineering Task Force published their statement in which they request that SSL should be deprecated. The users currently use on servers use TLS version 1.3. TLS  stands for Transport Layer Security. The version 1.2 of TLS was deprecated in August 2018.

The basics of functioning of the protocol can be learned from this video:

Owners of sites should purchase or get free TLS certificate from CA-Certificate Authority.  Some states established their own certificate authorities.  Indeed, many companies are involved in sale and technical support for installation and maintenance/support of certificates.  Depending on required security level you should make decision which security certificate you should install on your server. For example, if you maintain repository of primary data related to humanities and they might have private information on people involved in medical, psychological, social research you should consider use of stronger certificate which is more expensive and implementation of additional measures and policies that should keep some of data private.  If you manage a lot of payment transactions you should also consider to purchase certificate aimed for higher security level. If you do not have payments and special privacy related concerns you can consider some basic certificate or getting some certificate from open certificate Authority such as Let’s Encrypt.

Installation of certificate is sometimes process in which CA or its seller guides you and during that process they may have some security and identity checks.  That process is usually short but for some more expensive certificates it may take some time depending on checking procedures.  You maybe asked to check mail a coupe of times, click on confirmation links.  Some hosting companies and CAs such as Let’s Encrypt prepared on line instructions that is easy to follow.  However, editors who are not familiar with IT technologies and standards should ask hosting company or their system administrator to install certificate properly.  After installation of security certificate green padlock should appear on the left side in status bar in browser. If there is not green padlock or you see padlock with exclamation sign please check Why No Padlock site and use their testing tool in order to fix potential issues.  Output of test may show results like on image below:

checking ssl certificate

Some people use SSL Tools or other on line certificate checkers in order to check validity of certificate.

Some CAs offer additional checks of installed certificates since there are know attacks on certificates.  After I installed one relatively expensive certificate for one site that manage on line payments I noticed that their server still had active TLS 1.0 which was vulnerable to so called BEAST attack.  Although latest versions of TLS are not vulnerable to BEAST attack it is always good to check whether your hosting company or institutional servers are updated to the latest versions of security protocols.  Additional information on some other attacks on certificates are described on one very interesting security oriented blog. 

Note: Despite popularity of mobile phones I would not use mobile phone  for work on very important data or administering web application or server with all kind of important information.