Edmodo Upgrades Student, Teacher Security, After Criticism

Network engineer and parent who complained of Edmodos inadequate use of SSL encryption says theyve made a few million kids a lot safer.

7 Ways To Create E-Portfolios(click image for larger view)
Edmodo, the educational social software site for teachers, students and parents, has filled a hole in its website security that could have provided an opening for hackers.
As of late last week, visitors to
edmodo.com
were getting a connection that uses Secure Sockets Layer encryption -- the https, rather than http, version of the Hypertext Transport Protocol. Previously, the use of https was not as consistent. Edmodo encrypted access to its log-in page, but after log in, users would not necessarily get an encrypted connection while using the website, which among other things is used for communication between teachers and their students. School districts could configure their networks to automatically redirect browser traffic to an https address, but a teacher accessing the site from home wouldnt get an encrypted connection -- not without manually changing the http to https every time she signed on to edmodo.com.
Without complete encryption, its possible for an attacker to intercept communications with the website -- for example, over a wireless connection at a coffee shop -- and then capture key data such as the session cookie used to identify a user to a Web application after the initial log in. The attacker could then use the cookie to impersonate an authorized user without needing the users log-in information.
[ Is too much technology in education dangerous? Read
Ed Tech, Privatization And Plunder
. ]
If you dont protect the session cookie, youre vulnerable to the creepy guy who grabs that cookie and starts looking around, said Tony Porterfield, a networking hardware engineer who made an issue of Edmodos lax security, initially taking his story to
The New York Times
.
When
Edmodos spotty use of encryption
came to light in June, the company said the encryption issue would be addressed as part of a July 15 upgrade to the service. It arrived a few days later than that, following a wave of
feature and design updates
.
Porterfield said he wouldnt quibble about a delay of a few days. Its a big step forward, really great, he said in an interview. After reviewing all the sections of the website that concerned him previously, he said he was convinced that they are properly protected now. The only thing that still concerns him is that the educational apps promoted through the Edmodo app store do not all meet the same standard and some of them have access to Edmodo data through APIs.
Still, its progress. Im encouraged that they, in fairly short order, did turn it around. Theyve made a few million kids a lot safer by what they did, Porterfield said.
Edmodo notified me when the SSL feature went live, and Ive asked for an interview on their latest updates. Edmodo CEO Crystal Hutter exchanged phone and email messages with me late Friday, but we did not connect. Previously, she has stressed that Edmodo had planned to move to full encryption this year all along and didnt do it sooner partly because encryption adds network and computing overhead -- a problem for some schools with older PCs and limited bandwidth.
Edmodo has a reputation as a
valuable tool for teachers
, functioning as a social network for professional development and sharing curriculum ideas and materials, while also providing a way to communicate with students and parents. Although the company doesnt promote its product as a learning management system per se, it does provide tools for posting homework assignments and online quizzes, as well as a grade book module and course calendar.
I know my neighbors kids love it, and the school loves it and what it provides, Porterfield said. Although he sees some irony in the way Edmodo has been promoting itself as the secure alternative to public social media sites such as Facebook, he also sees how it could be considered safe and secure based on some legitimate things.
For example, Edmodos system is structured so teachers have access to information and communications about only their own students. Although its possible for members of the general public to set up an account -- both Porterfield and I have set up accounts in the guise of home school teachers -- a member of the site cant simply troll through student records the way a child predator might want to. The scheme for authorized access makes good sense, Porterfield said. It was the potential for unauthorized access that concerned him. Although network security is not his professional specialty, Porterfield began educating himself on issues such as session hijacking after noticing that many websites managing childrens data seemed to have lax information security practices.
In May, he was also quoted in a
Mother Jones
feature
on how other websites such as Shutterfly fail to adequately protect data about children. In that case, what caught his attention was a promotional connection between the website and the American Youth Soccer Organization.
I was an AYSO coach for my younger son last fall, and I went to a coach training session where I was given a flyer about how to set up a Shutterfly account for my team, Porterfield told
Mother Jones
. So I went on, I set up a roster, and then I realized right away that there was no SSL security. I couldnt believe it. I thought: Were protecting our credit cards, but were not protecting our kids? He was concerned about what a child predator might do with access to a team account that would include pictures of the children along with their names and other information about them.
Similarly, even though Edmodo says its service is not intended to amass personal information about children, it collects plenty of information that could be misused, Porterfield said.
What concerns him more is that poor support for or improperly implemented Web security seems to be commonplace across educational apps. Now that it has addressed its own shortcomings, Porterfield said he hopes to see Edmodo follow through by requiring more attention to security from its app store partners.
The latest updates to the Childrens Online Privacy Protection Act (COPPA) state that in addition to its own reasonable procedures for protecting the privacy of childrens data, software and service providers must must also take reasonable steps to release childrens personal information only to service providers and third parties who are capable of maintaining the confidentiality, security and integrity of such information, and who provide assurances that they will maintain the information in such a manner.
However, the loophole seems to be a vague reference to commercially reasonable measures for protecting data, Porterfield said. I think SSL is commercially reasonable. Youve got to be extra careful when its kids youre dealing with.
Follow David F. Carr at
@davidfcarr
or
Google+
, along with
@IWKEducation
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Edmodo Upgrades Student, Teacher Security, After Criticism