Helping to Secure Humanitarian Aid Organisations Online

By Matthew Marks, Technical Director, Public Interest Registry

In times of need, humanitarian organisations are increasingly turning to the speed and efficiency of online channels to share their message and mobilize support. Recently, when a boys soccer team was trapped in a cave in Thailand, the support was vast and swift – and largely crowdsourced. Advocates were able to connect with each other via online channels to raise money and support the rescue mission from near and far.

Many humanitarian entities use the .org domain as an essential asset for their aid efforts, stemming from its reputation as a conduit for using the internet for good. The .org domain can improve the efficiency and scale of a humanitarian response, providing aid organisations the platform they need to reach critical stakeholders and meet their intended goals. However, online efforts, no matter the domain in use, come with risk. While volunteers and donations can be secured immediately via an organisation’s website, the mission to collect these resources can just as quickly be derailed by a security breach. Humanitarian organisations must understand that while they rely on the internet for good, nefarious players can be lurking to take advantage, and sensitive information can be compromised if steps are not taken to protect it.

With this in mind, it’s critical that humanitarian organisations understand and implement security precautions to prevent a breach. HTTPS, which stands for Hypertext Transfer Protocol Secure, is a critical defense and serves as an easy process to integrate into your existing system to protect web page authenticity and keep user communications, identity and web browsing secure.

HTTPS vs. HTTP

Yes, HTTP and HTTPS are different, mostly because they represent different levels of security. You can easily identify if a website is employing HTTP or HTTPS by looking at the URL in your search bar. The beginning of the URL will indicate the process – https:// for example – and then will be followed by the domain name. Additionally, for HTTPS-enabled websites, you will also see a padlock icon to the left of the URL indicating that the site is protected. The fundamental difference between the protocols is that HTTPS encrypts data bidirectionally, meaning that data sent to your site is protected by encryption, and the response your site sends back is similarly defended. This protects you and your stakeholders (the recipients of the data) against potential eavesdropping, information forging, data tampering or theft.

HTTPS ensures data communicated online is secure and private. Data that is transferred from party to party could be intercepted by hackers with ill motive. However, if a site is HTTPS, visitors to the website can be assured that the data they’re viewing is authentic, in that it hasn’t been accessed or altered by an external source. What do we mean by “data?” Data can be qualitative, like your organisation’s passwords or constituent health records, or quantitative in the form of bank account numbers you collect from donors. Check out this past Public Interest Registry post, which can help you understand what data is and how it can be at risk. Overall, if you are collecting data from constituents, it is your responsibility to ensure it’s appropriately protected.

Why is HTTPS Valuable to Humanitarian Aid Organisations?

Safe and secure transfer of sensitive information is key for your communications efforts, and with HTTPS in place on your website, you can ensure data privacy and integrity while it’s in transit. Specifically, HTTPS can protect against an attack where direct website communications are secretly intercepted and potentially altered or directed to fraudulent sites – also known as a man-in-the-middle attack. This means conversations dealing with highly sensitive information could appear to occur directly between your humanitarian organisation and a volunteer, when, in reality, the conversation is being controlled by an attacker.

The security ensured by HTTPS offers potential donors a safe place to provide you with support. If stakeholders know your organisation is taking online security seriously, they will in turn feel comfortable making a financial donation. Though prevention is critical, in today’s online landscape, breaches are more common than ever. While we at Public Interest Registry work to make the .org domain a safe and secure channel to serve your humanitarian efforts, any online channel can be compromised. In the aftermath, speedy mediation can come from a well-laid-out strategy as discussed in each of these Public Interest Registry blog posts. Additionally, your registrar or hosting provider may be able to provide additional guidance.

How to Integrate HTTPS into your Website

Set up of HTTPS is simple. First, your organisation needs to buy, install and activate an SSL certificate. Think of this certificate as similar to a passport or other form of personal identification, but in this instance, it proves your website is, in fact, legitimately yours. You can do this yourself over the internet through free or commercial certificate vendors, or your hosting provider can provide one and install it for you. Certificates for individual sites are inexpensive and can generally be purchased for a period of one to three years based on your needs and budget.

Finally, update all website page links by adding HTTPS to replace HTTP. The HTTP links will still work, but data on those pages will not be encrypted. Be thorough in your updates to maximize donor security. Remember, installing HTTPS doesn’t mean your entire website is secure from cyberattacks, but it does ensure the transfer of your data from computer to computer meets internet standards for security. You can learn more about HTTPS, certificates and encryption on sites such as Letsencrypt.org, which shared this resource on how to implement HTTPS on your site.

HTTPS encryption is the best first step in prevention of a security breach, and if you’re ensuring this level of protection on your humanitarian-focused domain, you’re also working to build trust with stakeholders, which could go a long way in achieving your mission for good.