Educause Security Discussion mailing list archives
Pearson MyLab & Mastering SSL Concerns & Vulnerabilities
From: "Fackrell, Brady" <bfackrell () SHERIDAN EDU>
Date: Wed, 2 Dec 2015 16:54:41 +0000
There was a post<http://listserv.educause.edu/scripts/wa.exe?A2=ind1410&L=security&F=&S=&P=19234> similar to this, last year, that went unanswered. However, I feel I should share what we have learned with all of you so that you can reach out to Pearson yourselves and let us know if any of you have the same concerns: Our ITS helpdesk staff noticed that while they were assisting with issues related to MyMathLab the URLs being accessed were not utilizing SSL. As we dug further into the issue we found that most of the "MyLab & Mastering" products (MyMathLab, MyStatLab, etc) had the same issue. Pearson's site has users login at an HTTPS encrypted login screen, however, once logged in the users are redirected to HTTP addresses for the rest of their session. They bounce around to several internal Pearson addresses and their session is completely unencrypted for nearly the entire time. Yesterday we had a call with 6 Pearson representatives including their product director for MyMathLab. We briefly outlined our issues, observations and concerns to them. The product director confirmed that everything we outlined was accurate and they have been aware of these issues for about a year. They stated that it was a "high priority" to get this resolved but they did not have a definitive timeline for doing so. They hoped to have it resolved by Q1 or Q2 of next year but did not provide a specific deadline. Our institution is concerned but we haven't seen posts or inquiries from other schools on listservs or blogs. We are curious if other institutions have looked into this with Pearson or have addressed this internally? Thanks in advance. Regards, Brady Fackrell [Description: Description: IT_NWCCD-small] Brady Fackrell Director of Information Technology Services (CIO) Northern Wyoming Community College District: Sheridan College * Gillette College * Sheridan College in Johnson County 3059 Coffeen Avenue Sheridan, WY 82801<http://maps.google.com/maps?q=3059+Coffeen+Ave,+Sheridan,+WY+82801,+USA&sa=X&oi=map&ct=title> Internet: bfackrell () sheridan edu<mailto:bfackrell () sheridan edu> www.sheridan.edu<http://www.sheridan.edu/sc/services/its> Phone: (307) 674-3399 Fax: (307) 672-7121 Follow ITS@NWCCD on Twitter, Facebook & Google+ : [Description: Description: link-twitter]<http://www.twitter.com/ITS_NWCCD>[Description: Description: link-facebook]<http://www.facebook.com/pages/Sheridan-WY/Information-Technology-Services-Department-at-NWCCD/102974096409191>[Description: Description: gplus-16]<https://plus.google.com/105575739749260887245?prsrc=3> [http://www.cisco.com/global/EMEA/brand/signature/capital/green.gif]Think before you print.
Current thread:
- Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Fackrell, Brady (Dec 02)
- Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Lanita Rae Collette (Dec 03)
- Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Ben Woelk (Dec 03)
- <Possible follow-ups>
- Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Bradden Wondra (Dec 04)
- Re: Pearson MyLab & Mastering SSL Concerns & Vulnerabilities Lanita Rae Collette (Dec 03)