Strategic CIO // IT Strategy
News
6/24/2013
04:56 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

NY Times Calls Out Edmodo On Security

Concerned dad, a Cisco engineer, established fake account to prove that social collaboration site for teachers was not using encryption.

Inside Eight Game-changing MOOCs
Inside Eight Game-changing MOOCs
(click image for larger view and for slideshow)
Following an embarrassing The New York Times article on the weakness of its Web security, Edmodo is promising to make full SSL encryption standard for all accounts by July 15.

A Sunday New York Times feature detailed an informal security audit of the site by Tony Porterfield, an engineer at Cisco Systems, who checked up on the site after learning that use of the Web service was being encouraged by the Los Altos, Calif., school system that his two sons attend.

Edmodo, a free social collaboration application for teachers, has become popular for swapping tips and lesson plans, and some teachers also use it to post lessons and assignments and track grades.

Porterfield said he couldn't help worrying how a predator might exploit the site's flawed security. "There's a lot of contextual information you could use to gain trust, to make yourself seem familiar to the child," he told the Times. "As a parent, that's the scariest thing."

[ How are students taking advantage of new education modes to cheat? Read When Education Gets Too Virtual. ]

By registering himself as a fictional home school teacher with a class of fictional students, Porterfield was able to establish that Edmodo did not fully encrypt sessions using the Secure Sockets Layer encryption protocol -- long the standard for banking and e-commerce transactions but also, increasingly, for social media sites. SSL-secured connections begin with the prefix https, instead of http, and a successful encrypted connection is indicated by browsers with a closed padlock icon.

Edmodo protests that it has offered support for full SSL encryption since 2011 and that at least 50% of users currently have it turned on. However, today full encryption is not the default; it's a feature that needs to be turned on by a school or school district. In a blog post in response to the Times story, Edmodo said SSL connections will become the default as part of a July 15 software update.

Today, the default is that Edmodo encrypts login transactions but not ongoing interactions with the website. Although that used to be standard practice for Web applications, it has fallen out of favor for any site that handles personal information. The era of wireless networking has increased the risk of Web data being intercepted in transit, and that includes the authentication "cookie" files that Web browsers use to establish persistent connections. By stealing the cookie, it's possible for an attacker to impersonate another user.

For a Web service operator, the tradeoff to encrypting all connections is that constantly encrypting and decrypting all data requires more processing power, which translates into a need for more servers and data center capacity. In other words, it's significantly more expensive than encrypting just the most sensitive data. SSL-secured Web connections are also slower than unencrypted connections, which means Web developers have to work harder to make their applications responsive and deliver a good user experience.

Facebook, which was criticized for being slow to act on the requirement for secured connections, implemented SSL as its default connection mode in late 2012. Until January 2011, Facebook only used SSL on its login and password reset pages. That month, Facebook began offering full-session SSL encryption as an option users could enable in their settings screen, a first step toward making SSL the standard.

This optional mode of supporting full-session SSL is essentially the same situation Edmodo finds itself in two and a half years later. Requiring SSL for all connections is not an option that can be set at the level of individual teacher accounts, but can be implemented by schools and school districts that have established a formal relationship with Edmodo, which includes establishing a subdomain such as broward.edmodo.com for the Broward County, Fla. schools.

Individual teachers can also establish accounts at edmodo.com, regardless of whether their school system sponsors or endorses the site, which is how Porterfield established an account for his fictional home school educator. An individual teacher can toggle into SSL connection mode by changing the Web address prefix from http://www.edmodo.com to https://www.edmodo.com. That choice will stick for the rest of the session but must be done again each time the individual logs in.

This is supposed to change on July 15. The Times reported that Edmodo competitor Schoology had the same issue until recently, but announced as the story was being reported that it had turned on encryption for all connections.

In an email response to questions from InformationWeek, Edmodo said it had previously made the decision to "evolve" toward full encryption partly because of the performance limits on networking and computers in K-12 schools. The company's mobile apps already make SSL security standard.

"At Edmodo, we have always looked to serve the needs of schools who want to maximize learning opportunities for students -- historically that has meant using the computers they have in schools, which often have older technology running legacy browsers. Because of this, Edmodo has offered our users an option to use a non-fully encrypted version of our services because some older Web browsers have great difficulty accessing non-encrypted content on a fully encrypted website. By no means was this an economic decision," Edmodo said in a statement.

Follow David F. Carr at @davidfcarr or Google+, along with @IWKEducation.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/28/2013 | 5:31:14 PM
re: NY Times Calls Out Edmodo On Security
Edmodo critic Tony Porterfield provided this follow-up by email.

"I wanted to let you know that I don't think that Edmodo's
statement that districts can opt-in to full SSL is correct. I'm basing my
analysis on information posted on their website. It appears to be true
that schools can configure their own internal networks to force
edmodo sessions to be fully served with SSL. However the directions
Edmodo has posted for "how to use edmodo with https" when not on a
school's private network still expose the sessions to hijacking. The
directions they've posted for admin accounts would expose the admin account
session to hijacking according to my analysis too. ..."

"Bottom line is I think they are giving users a false sense of
security by implying this is a secure method of connection when in fact it is
exposing them to the risk of having sessions hijacked. It also makes
their claim that since 2011 any school that chooses can opt-in to SSL at best a
half-truth. And, the half that is true is not the area of concern as the school
network is restricted access and ought to be well secured with WPA2. Also
along with the problem of exposing the session cookie at each login, I think
it's questionable to describe a method where every user must remember to do
this every time as something that a district can 'opt in' for."

I can't reproduce it well here, but Porterfield included an annotated version of the policy at the link below to make his point
http://help.edmodo.com/teacher...

While I hate to condemn Edmodo, which I believe offers a valuable service, Mr. Porterfield's reasoning seems sound to me. I hope we'll see Edmodo make a serious effort at improving security with the update promised for July.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/25/2013 | 6:41:33 PM
re: NY Times Calls Out Edmodo On Security
In a follow up phone call, Edmodo CEO Crystal Hutter emphasized that the service was "built with the privacy and security of students in mind" and added that "we collect very little personally identifiable info about students." Edmodo serves, in part, as a safe social platform where students interact with their teachers, not random strangers.

She said the data center and networking expense associated with supporting full SSL are not what have been holding the company back. The only issue has been the older PCs and browsers still in place at many schools, she said. Edmodo had already decided the time had come to switch to full session SSL prior to the Times story and was already working with schools to prepare for the switch, she said.
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
6/25/2013 | 5:44:58 PM
re: NY Times Calls Out Edmodo On Security
They simply need to disable http access to their site and only allow https connections. Then, it would not matter where the source request comes from. A dam only works if it doesn't have pinholes in it.
Yet another wrinkle to this story is - how about encryption of the data "at rest"? It's one thing to SSL encrypt the communications channel. It is quite another to take the next logical step and encrypt the actual stored data - in case of a Datacenter breach.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/25/2013 | 4:14:31 PM
re: NY Times Calls Out Edmodo On Security
According to Edmodo, a school district need not establish an administrative subdomain on the service to enable SSL: "A school or district can ensure that ALL users are accessing Edmodo through SSL when they are on the school or districts network by automatically redirecting www.edmodo.com to https://www.edmodo.com. This does not require that the school have a formal relationship with Edmodo or have a subdomain."

That's an interesting distinction, but I'm not sure it's reassuring. What they seem to be saying is that network administrators can build in a redirect to make sure all traffic to the Edmodo domain would go to the https address. However, that would only work when the teacher accesses the service from on school premises. If they were logging in from home or a coffee shop (where the risk would be greater to begin with), that redirection wouldn't kick in. I suspect after hours is when teachers have more time to log into the application.

Edmodo provides a valuable service, appreciated by teachers across the world, so the good news is they are promising to close this loophole soon.
Transformative CIOs Organize for Success
Transformative CIOs Organize for Success
Trying to meet today’s business technology needs with yesterday’s IT organizational structure is like driving a Model T at the Indy 500. Time for a reset.
Register for InformationWeek Newsletters
White Papers
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.