Concerned dad, a Cisco engineer, established fake account to prove that social collaboration site for teachers was not using encryption.
Inside Eight Game-changing MOOCs
(click image for larger view and for slideshow)
Following an embarrassing The New York Times article on the weakness of its Web security, Edmodo is promising to make full SSL encryption standard for all accounts by July 15.
A Sunday New York Times feature detailed an informal security audit of the site by Tony Porterfield, an engineer at Cisco Systems, who checked up on the site after learning that use of the Web service was being encouraged by the Los Altos, Calif., school system that his two sons attend.
Porterfield said he couldn't help worrying how a predator might exploit the site's flawed security. "There's a lot of contextual information you could use to gain trust, to make yourself seem familiar to the child," he told the Times. "As a parent, that's the scariest thing."
By registering himself as a fictional home school teacher with a class of fictional students, Porterfield was able to establish that Edmodo did not fully encrypt sessions using the Secure Sockets Layer encryption protocol -- long the standard for banking and e-commerce transactions but also, increasingly, for social media sites. SSL-secured connections begin with the prefix https, instead of http, and a successful encrypted connection is indicated by browsers with a closed padlock icon.
Edmodo protests that it has offered support for full SSL encryption since 2011 and that at least 50% of users currently have it turned on. However, today full encryption is not the default; it's a feature that needs to be turned on by a school or school district. In a blog post in response to the Times story, Edmodo said SSL connections will become the default as part of a July 15 software update.
Today, the default is that Edmodo encrypts login transactions but not ongoing interactions with the website. Although that used to be standard practice for Web applications, it has fallen out of favor for any site that handles personal information. The era of wireless networking has increased the risk of Web data being intercepted in transit, and that includes the authentication "cookie" files that Web browsers use to establish persistent connections. By stealing the cookie, it's possible for an attacker to impersonate another user.
For a Web service operator, the tradeoff to encrypting all connections is that constantly encrypting and decrypting all data requires more processing power, which translates into a need for more servers and data center capacity. In other words, it's significantly more expensive than encrypting just the most sensitive data. SSL-secured Web connections are also slower than unencrypted connections, which means Web developers have to work harder to make their applications responsive and deliver a good user experience.
Facebook, which was criticized for being slow to act on the requirement for secured connections, implemented SSL as its default connection mode in late 2012. Until January 2011, Facebook only used SSL on its login and password reset pages. That month, Facebook began offering full-session SSL encryption as an option users could enable in their settings screen, a first step toward making SSL the standard.
This optional mode of supporting full-session SSL is essentially the same situation Edmodo finds itself in two and a half years later. Requiring SSL for all connections is not an option that can be set at the level of individual teacher accounts, but can be implemented by schools and school districts that have established a formal relationship with Edmodo, which includes establishing a subdomain such as broward.edmodo.com for the Broward County, Fla. schools.
Individual teachers can also establish accounts at edmodo.com, regardless of whether their school system sponsors or endorses the site, which is how Porterfield established an account for his fictional home school educator. An individual teacher can toggle into SSL connection mode by changing the Web address prefix from http://www.edmodo.com to https://www.edmodo.com. That choice will stick for the rest of the session but must be done again each time the individual logs in.
This is supposed to change on July 15. The Times reported that Edmodo competitor Schoology had the same issue until recently, but announced as the story was being reported that it had turned on encryption for all connections.
In an email response to questions from InformationWeek, Edmodo said it had previously made the decision to "evolve" toward full encryption partly because of the performance limits on networking and computers in K-12 schools. The company's mobile apps already make SSL security standard.
"At Edmodo, we have always looked to serve the needs of schools who want to maximize learning opportunities for students -- historically that has meant using the computers they have in schools, which often have older technology running legacy browsers. Because of this, Edmodo has offered our users an option to use a non-fully encrypted version of our services because some older Web browsers have great difficulty accessing non-encrypted content on a fully encrypted website. By no means was this an economic decision," Edmodo said in a statement.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.