On February 11th Natasha Singer reported in the NY Times that many companies that collect student information had signed the Student Privacy Pledge, while having logins that were not encrypted, exposing usernames and passwords — and the associated accounts — to unauthorized access. The Student Privacy Pledge signatories promise to: (highlights are mine)
Maintain a comprehensive security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information against risks – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information.
The OWASP guideline and widely accepted best practice is to encrypt login forms, transfer of credentials and all subsequent authenticated transfers during the login session. (This one of the things that SSL/HTTPS does). It is one of the most elementary security measures a web service can implement. Any form of student information is sensitive enough to be reasonably afforded this basic level of protection.
Today, I counted eight Student Privacy Pledge signatories that appear to hold personal information about students, yet do not encrypt the transmission of their users’ login credentials. Seven of them had already signed when the story ran on February 11th and have not made changes, and one (Cambium Learning Group, covered in earlier posts) signed the pledge while having unencrypted logins, among many other security problems.
My method was the following:
- Visit the website of the signatory
- Decide if it appears to collect student information (has a student login, for example)
- If so, do a login attempt and confirm in a proxy that the username and password are sent plain text without encryption
Since I don’t have login accounts for most of these services I did not do further checks about what happens after login.
The sites I observed to still be sending usernames and passwords without encryption were:
[Updated 3/25/15 to show results of doing the same check, after I was contacted by a couple of services letting me know they’d added SSL]
brainhive [No login encryption on 3/25]
code.org [No login encryption on 3/25]
edgenuity [No login encryption on 3/25]
writerkey [Encrypted login on 3/25]
myon [Encrypted login on 3/25]
orglib [Encrypted login on 3/25]
readorium [Encrypted login on 3/25]
raz-kids (Cambium Learning Group) [Encrypted login on 3/25]