It's not exactly secure without ldap + ssl either. I came across the
entry below at http://support.blackboard.com:8080/~administrators/login.
It's marked version 5.5, but I'd expect this is still valid for
version 6.
Herta
*Topic:* Password encryption? (3 of 3), Read 19 times
*Conf:* Blackboard 5.5
<http://support.blackboard.com:8080/%7Eadministrators/confinfo?6>
*From:* Jeremy Portzer
<http://support.blackboard.com:8080/%7Eadministrators/userpeek?3465>
[log in to unmask] <mailto:[log in to unmask]>_
*Date:* Thursday, November 21, 2002 09:58 AM
I agree with G. Parker about how Blackboard uses the MD5 hash and
one-time key for the password authentication. This works well for hiding
the password, unless you switch to LDAP or other system where the
hashing is necessarily turned off. But hiding the password doesn't
really do you much good in the long run because of another bigger problem.
The reason that Blackboard (without SSL) isn't that secure is because
*session* keys are transmitted in the clear. If someone is sniffing your
network, they can easily determine the session key (session_id cookie),
and use that key to gain access to your Blackboard session, and gain all
the privileges of the account. The session key is transmitted with every
Blackboard request, too -- so it's much easier to "find" when sniffing
packets. For this reason, system administrators must NEVER log on from
an untrusted network, and always log out as soon as they're done working
(to invalidate the session).
And also note that the change password feature doesn't require the old
password to be entered. So an attacker could easily take
control of an account by hijacking the session, and then changing the
password.
The only viable solution to this problem is to put Blackboard behind
SSL. This can cause performance issues since everything, including
images and downloads, gets SSL encrypted. Blackboard 6 will come with an
"SSL Choice" utility that allows you to specify which parts of
Blackboard are SSL encrypted.
--Jeremy
Paul Browning wrote:
> ---------- Forwarded Message ----------
> Date: 12 December 2002 16:06 -0600
> From: Michael Zimmerman <[log in to unmask]>
> To: [log in to unmask]
> Subject: BB6 and LDAP and SSL - a loophole
>
> I just confirmed what I'd consider to be a fairly serious security
> "oversight" in BB6 for those of us using LDAP (and perhaps other types of
> authentication) in conjunction with SSL encryption on the web server.
>
> Using LDAP authentication, the regular MD5 encryption of the login name
> and password is not normally possible, so it's necessesary to set up SSL
> on the web server. A new feature of BB6 is the "SSL Select", which
> allows
> you to apply SSL only to particular areas of the site, suce as the
> gradebook or the personal infomation, but turning on SSL automatically
> encrypts the normal login screen, and the login/logout button in the top
> frame.
>
> However, if you enable the direct_portal_access option, or let folks
> "preview" the system with the Guest account, the "My Institution" screen
> comes up with fairly obvious login form in the upper left. With
> direct_portal_entry in particular, that is the login form most folks are
> likely to see and use. But guess what? That form is *not* SSL
> encrypted--it sends the login information essentially "in the clear",
> unless you want to consider converting the password to base64 to be
> "encryption". I confirmed this with a packet sniffer today, just to be
> sure.
>
> I reported this to Blackboard (prior to checking with the packet
> sniffer),
> and was told there was no plan to add SSL to that login form, and there's
> no longer an option under SSL Select to encrypt the "My Insitution" area.
> I have not tried the "Encrypt the whole site" option, which would seem to
> defeat the main benefit of the SSL Select. It's possible to make some
> tweaks in system libraries to hard-wire that form to use an SSL
> connection, but that's not the way the Blackboard 6 system is set up by
> default. This should definately be a concern for anyone planning to use
> LDAP or some other external authentication mechanism with Blackboard 6, I
> think.
>
> Has anybody else looked at this?
>
> Mike Zimmerman
> -----------------------------------------------------------------
> Michael Zimmerman, System Administrator
> University of Nebraska-Omaha, ITS Academic Information Systems
> Email: [log in to unmask]
> Phone: 402-554-4357
>
> Directions to BLKBRD-L archives and settings:
> http://is.asu.edu/instruction/faq/usingBLKBRD-L.html
>
>
> ---------- End Forwarded Message ----------
>
>
>
> --
> The Library, Tyndall Avenue, Univ. of Bristol, Bristol, BS8 1TJ, UK
> E-mail: [log in to unmask] URL: http://www.bris.ac.uk/
--
******************************************************
Herta Van den Eynde
Toledo system management
K.U.Leuven - Ludit
W.de Croylaan 52A
B-3001 Heverlee
Belgium
tel: +32 (0)16 322 166
fax: +32 (0)16 322 999
******************************************************
"For something fulfilled this hour, loved or endured."
(W.H. Auden)
******************************************************
|