Comments
NY Times Calls Out Edmodo On Security
Oldest First  |  Newest First  |  Threaded View
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/25/2013 | 4:14:31 PM
re: NY Times Calls Out Edmodo On Security
According to Edmodo, a school district need not establish an administrative subdomain on the service to enable SSL: "A school or district can ensure that ALL users are accessing Edmodo through SSL when they are on the school or districts network by automatically redirecting www.edmodo.com to https://www.edmodo.com. This does not require that the school have a formal relationship with Edmodo or have a subdomain."

That's an interesting distinction, but I'm not sure it's reassuring. What they seem to be saying is that network administrators can build in a redirect to make sure all traffic to the Edmodo domain would go to the https address. However, that would only work when the teacher accesses the service from on school premises. If they were logging in from home or a coffee shop (where the risk would be greater to begin with), that redirection wouldn't kick in. I suspect after hours is when teachers have more time to log into the application.

Edmodo provides a valuable service, appreciated by teachers across the world, so the good news is they are promising to close this loophole soon.
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
6/25/2013 | 5:44:58 PM
re: NY Times Calls Out Edmodo On Security
They simply need to disable http access to their site and only allow https connections. Then, it would not matter where the source request comes from. A dam only works if it doesn't have pinholes in it.
Yet another wrinkle to this story is - how about encryption of the data "at rest"? It's one thing to SSL encrypt the communications channel. It is quite another to take the next logical step and encrypt the actual stored data - in case of a Datacenter breach.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/25/2013 | 6:41:33 PM
re: NY Times Calls Out Edmodo On Security
In a follow up phone call, Edmodo CEO Crystal Hutter emphasized that the service was "built with the privacy and security of students in mind" and added that "we collect very little personally identifiable info about students." Edmodo serves, in part, as a safe social platform where students interact with their teachers, not random strangers.

She said the data center and networking expense associated with supporting full SSL are not what have been holding the company back. The only issue has been the older PCs and browsers still in place at many schools, she said. Edmodo had already decided the time had come to switch to full session SSL prior to the Times story and was already working with schools to prepare for the switch, she said.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/28/2013 | 5:31:14 PM
re: NY Times Calls Out Edmodo On Security
Edmodo critic Tony Porterfield provided this follow-up by email.

"I wanted to let you know that I don't think that Edmodo's
statement that districts can opt-in to full SSL is correct. I'm basing my
analysis on information posted on their website. It appears to be true
that schools can configure their own internal networks to force
edmodo sessions to be fully served with SSL. However the directions
Edmodo has posted for "how to use edmodo with https" when not on a
school's private network still expose the sessions to hijacking. The
directions they've posted for admin accounts would expose the admin account
session to hijacking according to my analysis too. ..."

"Bottom line is I think they are giving users a false sense of
security by implying this is a secure method of connection when in fact it is
exposing them to the risk of having sessions hijacked. It also makes
their claim that since 2011 any school that chooses can opt-in to SSL at best a
half-truth. And, the half that is true is not the area of concern as the school
network is restricted access and ought to be well secured with WPA2. Also
along with the problem of exposing the session cookie at each login, I think
it's questionable to describe a method where every user must remember to do
this every time as something that a district can 'opt in' for."

I can't reproduce it well here, but Porterfield included an annotated version of the policy at the link below to make his point
http://help.edmodo.com/teacher...

While I hate to condemn Edmodo, which I believe offers a valuable service, Mr. Porterfield's reasoning seems sound to me. I hope we'll see Edmodo make a serious effort at improving security with the update promised for July.


The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.