[Web4lib] Use SSL on Patron Account Pages?

Cary Gordon listuser at chillco.com
Mon Feb 4 16:44:15 EST 2008


I think that the reasoning should not be based on what other libraries  
do, or what patrons expect. SSL is a relatively inexpensive and easy  
to implement way of protecting personal information and as such, I  
think that it should be considered a beat practice for Web pages that  
call for the display and transmission of personal information,  
including ILS and website logins.

Here is an example of how this might be useful:

I deal with a few libraries that, for better or worse, use content  
filtering systems that rely on promiscuous networks to operate.  
Usually, this means that their public networks use hubs rather than  
switches, with the result that all traffic is visible from all ports.  
Given that scenario, it would be trivial to put a port sniffer on the  
network and harvest any and all unencrypted username/password  
transactions.

Having said that, I would wager that the percentage of libraries that  
actually do SSL logins is tiny.

Cary Gordon, mls
The Cherry Hill Company
http://www.chillco.com

On Feb 4, 2008, at 11:06 AM, Pruntel,Alison wrote:

> Please excuse cross-posting, as I'm querying several lists I subscribe
> to.
>
>
>
> We've had a patron complain because we do not use SSL/encryption when
> they log into their patron account using our Web OPAC (III's
> Millennium). Luckily, III provides a way to enable this fairly  
> quickly,
> but we're of course going to have to spend money on purchasing a
> certificate from Verisign. My director asked if all other libraries  
> are
> doing this, and as I poked around other Northern Virginia library  
> sites
> and checked the "Log in to my account," type of areas of their online
> catalog, I noticed none of them are using SSL/encryption. I was  
> actually
> kind of surprised, thinking it was just something that slipped by us
> only.
>
>
>
> I would be much appreciated if you could check and see if your library
> uses SSL for the patron information functions of your Web OPAC and let
> me (or the list) know whether or not you do secure that information  
> and
> if so/not, why did you (your library) opt for this? I think most
> web-savvy people assume that when they are logging in to a Web site,
> whether their library account or a commerce site like Amazon, they
> assume that the data is encrypted.
>
>
>
> Thanks in advance,
>
>
>
>
>
> Alison Pruntel
> Electronic Resources Librarian
> Fauquier County Public Library
> 11 Winchester Street
> Warrenton, VA 20186
> 540-349-2770 (voice)
> 540-349-3278 (fax)
> http://library.fauquiercounty.gov
> http://fcpleresources.blogspot.com/
>
>
>
> _______________________________________________
> Web4lib mailing list
> Web4lib at webjunction.org
> http://lists.webjunction.org/web4lib/
>








More information about the Web4lib mailing list