HTTPS protocol offers better data protection than regular HTTP protocol since it utilize cryptography, mainly encryption and authentication mechanism to provide confidentiality and authenticity to packets sent to and from servers. However, not all institutions have properly implemented HTTPS protocol for their web sites. This paper analyzed the implementation of HTTPS protocol for all higher education web sites in Java island. We found that only 28 out of 1505 (1.86%) of all higher education institution who have a domain name have been using HTTPS protocol for their main domain. Furthermore, not all of them have properly implemented HTTPS protocol. We analyzed all 28 domains and we found that 8 out of 28 (28.57%) institutions are still using SSLv3 protocol which is no longer recommended to be used since it’s vulnerable to POODLE attack, 9 out of 28 (32.14%) institutions are still using an old algorithm RC4 which is proven to be insecure, 4 out of 28 (14.28%) institutions only support up to TLS 1.0, and 6 out of 28 (21.42%) institutions are still using SSLv2 or reusing same RSA keys thus vulnerable to DROWN attack. Many of the best practices of implementing HTTPS protocol were also neglected. HTTP Strict Transport Security (HSTS) is used by 5 out of 28 (17.8%) institutions and none of them have implemented HTTP Public Key Pinning (HPKP).
Index Terms—cryptography, HTTPS, SSL, TLS
The PASSERINE Public Key Encryption and Authentication Mechanism
