Session stealing in most VLEs is easily done by embedding malicious code in material (messages, blog entries, dropbox asignments etc.) which is uploaded to the VLE by users. The protocol is irrelevant - you can steal session cookies just as easily with https as http. Using https will prevent IP traffic snooping, but that's not where the main vulnerabilities lie.
____________________________________________
Andrew G Booth BSc PhD NTF FHEA
National Teaching Fellow
Professor of Online Learning
Institute of Molecular and Cellular Biology
Garstang Building
University of Leeds
Leeds LS2 9JT
U.K.
Tel: +44-113-343-3142
____________________________________________
No Education Patents
http://www.noedupatents.org/
____________________________________________
-----Original Message-----
From: Virtual Learning Environments [mailto:[log in to unmask]] On Behalf Of Adam Marshall
Sent: 18 May 2009 12:24
To: [log in to unmask]
Subject: [VLES] is your VLE's URL http or https ?
We're not sure whether to run our VLE as http or https.
If we use https then obviously all content is encrypted and we can use
secure cookies meaning the likelihood of man-in-the-middle attacks or
session stealing are very low indeed.
However, there is a huge drawback in that if somebody embeds a You Tube
video, or flickr photo-stream or the like (which can only be accessed by
http) then MS Internet Explorer throws up scary looking warnings about the
page containing 'secure and non-secure items' causing some users to panic
and others to think that the VLE is somehow at fault.
Using http means that such messages don't appear but that session stealing
or man-in-the-middle attacks are a lot more likely.
We could allow both http and https but this doesn't stop session stealing or
man-in-the-middle attacks at all.
Basically it's a no-win situation unless you ban people from using Internet
Explorer which would be an admirable stance but which would never happen in
practice!
What approach have other institutions taken?
Adam
--
Adam Marshall: OUCS, 13, Banbury Rd. Oxford OX2 6NN.
The upcoming new WebLearn service: http://beta.weblearn.ox.ac.uk
Shameless plug: http://www.myspace.com/wheresthebeachmusic
Cheese of the month: Double Gloucester - shouldnt be overlooked!
***************** List information: *****************
Remember - replies go by default to the entire list.
Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html
To unsubscribe, email [log in to unmask] with the message: leave vle
***************** List information: *****************
Remember - replies go by default to the entire list.
Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html
To unsubscribe, email [log in to unmask] with the message: leave vle
|