---------- Forwarded Message ----------
Date: 12 December 2002 16:06 -0600
From: Michael Zimmerman <[log in to unmask]>
To: [log in to unmask]
Subject: BB6 and LDAP and SSL - a loophole
I just confirmed what I'd consider to be a fairly serious security
"oversight" in BB6 for those of us using LDAP (and perhaps other types of
authentication) in conjunction with SSL encryption on the web server.
Using LDAP authentication, the regular MD5 encryption of the login name
and password is not normally possible, so it's necessesary to set up SSL
on the web server. A new feature of BB6 is the "SSL Select", which allows
you to apply SSL only to particular areas of the site, suce as the
gradebook or the personal infomation, but turning on SSL automatically
encrypts the normal login screen, and the login/logout button in the top
frame.
However, if you enable the direct_portal_access option, or let folks
"preview" the system with the Guest account, the "My Institution" screen
comes up with fairly obvious login form in the upper left. With
direct_portal_entry in particular, that is the login form most folks are
likely to see and use. But guess what? That form is *not* SSL
encrypted--it sends the login information essentially "in the clear",
unless you want to consider converting the password to base64 to be
"encryption". I confirmed this with a packet sniffer today, just to be
sure.
I reported this to Blackboard (prior to checking with the packet sniffer),
and was told there was no plan to add SSL to that login form, and there's
no longer an option under SSL Select to encrypt the "My Insitution" area.
I have not tried the "Encrypt the whole site" option, which would seem to
defeat the main benefit of the SSL Select. It's possible to make some
tweaks in system libraries to hard-wire that form to use an SSL
connection, but that's not the way the Blackboard 6 system is set up by
default. This should definately be a concern for anyone planning to use
LDAP or some other external authentication mechanism with Blackboard 6, I
think.
Has anybody else looked at this?
Mike Zimmerman
-----------------------------------------------------------------
Michael Zimmerman, System Administrator
University of Nebraska-Omaha, ITS Academic Information Systems
Email: [log in to unmask]
Phone: 402-554-4357
Directions to BLKBRD-L archives and settings:
http://is.asu.edu/instruction/faq/usingBLKBRD-L.html
---------- End Forwarded Message ----------
--
The Library, Tyndall Avenue, Univ. of Bristol, Bristol, BS8 1TJ, UK
E-mail: [log in to unmask] URL: http://www.bris.ac.uk/
|