This page contains the main results of our security assessment of the HTTPS deployment of Italian university websites. The study has been presented at ITASEC 2020 and the full paper is available here.
The paper contains full details on how the table should be read and how the scores have been computed. The numbers in the table refer to the original evaluation performed in our study; however, the table additionally includes a “Notes” column, where we keep track of any security improvement we are aware of since our responsible disclosure process. The table might not reflect some security updates which were not explicitly communicated to our research group.
Abstract: In this paper we carry out a systematic analysis of the state of the HTTPS deployment of the most popular Italian university websites. Our analysis focuses on three different key aspects: HTTPS adoption and activation, HTTPS certificates, and cryptographic TLS implementations. Our investigation shows that the current state of the HTTPS deployment is unsatisfactory, yet it is possible to significantly improve the level of security by working exclusively at the web application layer. We hope this observation will encourage site operators to take actions to improve the current state of protection.
| Website | Activation | Certificate | Cryptography | Score | Notes |
|---|---|---|---|---|---|
| unige.it | 3 + 2 | 4 + 2 | 1 + 1 + 0 + 0 | 2 | — |
| web.unipv.it | 3 + 2 | 4 + 2 | 1 + 1 + 1 + 1 | 2 | — |
| web.uniroma2.it | 0 + 2 | 4 + 2 | 1 + 1 + 0 + 0 | 1 | — |
| www.poliba.it | 0 + 2 | 4 + 2 | 1 + 1 + 1 + 1 | 1 | — |
| www.polimi.it | 5 + 2 | 4 + 2 | 1 + 1 + 1 + 1 | 4 | — |
| www.polito.it | 3 + 2 | 4 + 2 | 1 + 1 + 0 + 0 | 2 | HSTS activated post disclosure |
| www.santannapisa.it | 3 + 2 | 4 + 2 | 1 + 1 + 0 + 0 | 2 | HSTS activated post disclosure |
| www.sns.it | 3 + 2 | 4 + 2 | 1 + 1 + 1 + 1 | 2 | — |
| www.uniba.it | 3 + 2 | 4 + 2 | 1 + 1 + 0 + 0 | 2 | — |
| www.unibo.it | 5 + 2 | 4 + 0 | 1 + 1 + 1 + 1 | 3 | — |
| www.unibs.it | 3 + 2 | 4 + 0 | 1 + 1 + 0 + 0 | 2 | — |
| www.unicatt.it | 3 + 2 | 4 + 0 | 1 + 1 + 1 + 1 | 2 | — |
| www.unict.it | 3 + 2 | 4 + 2 | 1 + 1 + 0 + 0 | 2 | — |
| www.unife.it | — | — | — | 1 | — |
| www.unifi.it | 5 + 2 | 4 + 0 | 1 + 1 + 1 + 1 | 3 | — |
| www.unimi.it | 3 + 2 | 4 + 2 | 1 + 1 + 1 + 1 | 2 | — |
| www.unimib.it | 3 + 2 | 4 + 2 | 1 + 1 + 1 + 1 | 2 | — |
| www.unimore.it | 3 + 2 | 5 + 2 | 1 + 1 + 1 + 1 | 2 | — |
| www.unina.it | 0 + 1 | 4 + 2 | 1 + 1 + 0 + 0 | 1 | — |
| www.unipa.it | 0 + 1 | 4 + 2 | 1 + 1 + 0 + 0 | 1 | HTTPS redirection activated post disclosure |
| www.unipd.it | 3 + 2 | 4 + 2 | 1 + 1 + 1 + 1 | 2 | — |
| www.unipg.it | 3 + 2 | 5 + 2 | 1 + 1 + 1 + 1 | 2 | HSTS activated post disclosure |
| www.unipi.it | 3 + 2 | 4 + 2 | 1 + 1 + 0 + 0 | 2 | HSTS activated post disclosure |
| www.unipr.it | 3 + 2 | 4 + 0 | 1 + 1 + 0 + 0 | 2 | — |
| www.uniroma1.it | 3 + 2 | 4 + 2 | 1 + 1 + 0 + 0 | 2 | HSTS activated post disclosure |
| www.uniroma3.it | — | — | — | 1 | — |
| www.unisa.it | 3 + 2 | 4 + 0 | 1 + 1 + 0 + 0 | 2 | — |
| www.unisi.it | 3 + 2 | 4 + 0 | 1 + 1 + 1 + 1 | 2 | — |
| www.unitn.it | 3 + 2 | 5 + 0 | 1 + 1 + 0 + 0 | 2 | HSTS activated post disclosure |
| www.unito.it | 3 + 2 | 4 + 0 | 1 + 1 + 1 + 1 | 2 | — |
| www.units.it | 3 + 2 | 4 + 2 | 1 + 1 + 0 + 0 | 2 | — |
| www.uniud.it | 3 + 2 | 5 + 2 | 1 + 1 + 1 + 1 | 2 | — |
| www.unive.it | 3 + 2 | 5 + 2 | 1 + 1 + 1 + 1 | 2 | HSTS activated post disclosure |
| www.univr.it | 3 + 2 | 4 + 0 | 1 + 1 + 1 + 1 | 2 | HSTS activated post disclosure |