Considering the large number of data breaches that have affected universities in the past months, it shouldn’t surprise anyone that many educational institutions fail to properly protect their infrastructures. This is reinforced by a new study made by TechWeekEurope on the SSL security of the websites owned by the top 50 universities from the UK.
The study was conducted by using the SSL Labs tool on the sites of universities ranked by The Guardian as being the best.
The tests showed that, out of the 50 websites running HTTPS connections, 17 didn’t live up to expectations, in some case even obtaining C or D grades on a scale where A was the best.
In theory, these types of flaws can allow an attacker to cause some serious damage, including access networks and steal sensitive information, as we’ve seen on numerous occasions.
On the bright side, many of the universities have already started taking measures after being notified by TechWeekEurope of the potential risks presented by their SSL installations.
University College London (UCL) was among the first to respond. The institution’s representatives admitted that the “security configuration could be improved,” and after an update, UCL joined the list of subjects
that passed the test.
The University of Nottingham is also in the process of implementing a more efficient SSL.
“Implementation of an extensive investment programme of system upgrades is currently underway to provide new firewalls, more robust authentication, and other campus network enhancements that protect our large and diverse user communities,” a spokesperson said.
The University of Manchester, University of Glasgow, Lancaster University and Oxford have also addressed, or are in the process of addressing, the issues.
However, as expected, not everyone rushed to act after learning the results of the study. University of Dundee in Scotland will update its systems at some point, but they’re currently experiencing certain difficulties.
Oxford Brookes University will only deploy the new SSL implementations in September. Keele and Bath haven’t done anything yet, but they promise to address the vulnerabilities in the upcoming period.
Unfortunately, there were even some universities that didn’t respond to the notifications at all.