Https

Discussion in 'Off-topic' started by StudentActuary_02, Oct 29, 2015.

  1. Is there a reason why this website doesn't use a secure HTTPS connection when we are signed in?
     
  2. John Lee

    John Lee ActEd Tutor Staff Member

    I've chatted with our IT department and they say "it's coming very soon".
     
  3. Thanks for the replies - could you get an ETA from IT on fixing this security issue?
     
  4. John Lee

    John Lee ActEd Tutor Staff Member

    You'll observe that we've migrated the website. The rest should follow in January.
     
  5. Thanks John.

    Hopefully they can sort another issue with the learn.bpp.com portal. That uses HTTPS, but there are some really serious security problems with the portal.

    The following results are copied from a test ran by Qualys SSL Labs (results can be found here: https://www.ssllabs.com/ssltest/analyze.html?d=learn.bpp.com&hideResults=on), who gave the website a fail grade "F" for the security provided by its HTTPS connection. In particular, the website scores 0 out of 100 for Protocol Support and Key Exchange:

    "This server supports SSL 2, which is obsolete and insecure. Grade set to F.

    This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F.

    This server uses SSL 3, which is obsolete and insecure. Grade capped to B.

    Certificate has a weak signature and expires after 2015. Upgrade to SHA2 to avoid browser warnings.

    The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C.

    This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B.

    The server does not support Forward Secrecy with the reference browsers.

    This server's certificate chain is incomplete. Grade capped to B."

    Some of the issues raised are really basic errors in HTTPS implementation (e.g. SSL2 and SSL3 have been obsolete for decades) that really need to be addressed urgently to protect students who use this portal.

    Can the IT team ensure this is addressed at the same time?
     
  6. John Lee

    John Lee ActEd Tutor Staff Member

    Thank you so much for your attention to detail. The learn portal is hosted by BPP rather than ActEd so I will pass this onto them.

    Many thanks

    John
     
  7. Hi John

    Thanks for passing this on - have they been able to respond?
     
  8. John Lee

    John Lee ActEd Tutor Staff Member

    Yes. I believe some changes are being made but ultimately the whole site is to be migrated soon anyway.
     
  9. John Lee

    John Lee ActEd Tutor Staff Member

    Just to let you know that the acted website is now updated to a secure HTTPS connection.
     
  10. Hobbs

    Hobbs Member

    I feel safer already.
     
    John Lee likes this.
  11. Thank you John
     
    John Lee likes this.
  12. Hi John

    Although the Acted website's security issues have been resolved with your help, no changes have been made to the BPP site as shown by the following report ran today:

    "Experimental: This server is vulnerable to the DROWN attack. Grade set to F. MORE INFO »
    This server supports SSL 2, which is obsolete and insecure, and can be used against TLS (DROWN attack). Grade set to F. MORE INFO »
    This server supports 512-bit export suites and might be vulnerable to the FREAK attack. Grade set to F. MORE INFO »
    This server uses SSL 3, which is obsolete and insecure. Grade capped to B. MORE INFO »
    The server supports only older protocols, but not the current best TLS 1.2. Grade capped to C. MORE INFO »
    This server accepts RC4 cipher, but only with older protocol versions. Grade capped to B. MORE INFO »
    The server does not support Forward Secrecy with the reference browsers. MORE INFO »
    This server's certificate chain is incomplete. Grade capped to B."

    Again, some of the issues raised are really basic errors in HTTPS implementation (e.g. SSL2 and SSL3 have been obsolete for decades) that really need to be addressed urgently to protect students who use this portal.

    Could you get an update from BPP on when the passwords for students (and other personal information) being transmitted between BPP and the student's computer will be properly protected?

    Thanks again for your help.
     
  13. John Lee

    John Lee ActEd Tutor Staff Member

    As I mentioned before the learn portal is hosted by BPP so we are unable to change this.
    My understanding (which may be wrong) is that since only the portal is vulnerable there is no issue unless you use the same password/email combination for other websites. The second reason it has not been prioritised is that we are migrating to a new site which does have security but this is taking far more time than anticipated.
     
  14. Hi John

    Thanks for a fast reply.

    Like many outside the profession, I imagine many students do re-use their passwords. In addition, if a website has such glaring HTTPS issues, its servers are likely to be poorly configured elsewhere, leaving students email addresses, passwords (maybe name and employer as well?) vulnerable to the types of breaches seen at other websites recently.

    Although this will only help with the first point above, could you ask your contact at BPP to provide a warning to students to use a unique password at the BPP sign-in page while BPP finishes securing its portal?
     
    Last edited by a moderator: Jun 14, 2016
    Hemant Rupani likes this.

Share This Page