Pearson MyLab - SSL issues

["Fowler, Becky Thurmond" <ThurmondR () MISSOURI EDU>]

Hello, I'm wondering if anyone on this list has dealt with the Pearson MyLab products.  We've done our standard 
contractual review and inserted procurement language into our agreement with them.  The setup our educational 
technology folks identified back when this whole thing started was that the Pearson labs would interface with a 
Blackboard Building Block and authentication would be handled in that manner.

It's since come to our attention that Pearson reps are (probably unintentionally) skirting this process and setting 
faculty up with MyLab products where the students authenticate directly to a Pearson website. 
http://portal.mypearson.com/mypearson-login.jsp     The rub?  The login page isn't using SSL so a quick Wireshark 
capture reveals the username and a raw md5 hash of the user's password in plain text.  (To add insult to injury, 
professors are encouraging students to use their University login/password pair because doing so makes the transfer of 
grades back to Blackboard easier.)

We actually have a meeting this morning with some reps because once we reported this issue we were told the "good news" 
that Pearson will be encryption all passwords by the end of Q1 2015.  We're pushing back hard on this - I'm not sure 
what technical reason they have for not encrypting the login session but I'm sure I'll get some creative excuses at my 
9:30 meeting.

Has anyone else had these discussions with Pearson?   If so, what were the results?

Thanks!

Becky Thurmond Fowler
Manager, Security Assessments & Incident Response
Division of IT - Information Security & Access Management
University of Missouri-Columbia
becky () missouri edu<mailto:becky () missouri edu>
573.882.5182