#26 unable to ensure if secured version of SEB is being used

open
nobody
SEB (18)
7
2013-11-01
2012-11-09
Anonymous
No

Moodle needs SEB to open the quiz, but there is no check to ensure that the configured SEB instance is being used A student can easily download another copy externally, and make it customized to avoid the locks that have been put in the secured SEB and hence still answer the quiz.
Can there be some kind of secured communication, between the moodle server and the SEB on the client machine which checks if this is the authorised version of the SEB browser and then allows the test to open?

One suggestion by Tim Hunt at moodle.org is as under:
I think that a reasonable design for a more secure system would be something like this:
Change safe-browser so that it sends an additional header with every HTTP request like
X-SafeBrowser-RequestHash: { here we put SHA1 of some things, e.g. the requested URL concatenated with a salt compiled in to the software }
Moodle can then verify that header is correct, but only if the admin knows the right secure salt (because they compiled this version of SEB) and can enter it into Moodle.

any suggestions?

regards

Discussion

  • We discussed this topic and like the suggestion for the additional header in every HTTP request, this was also one of our ideas for improving security. I'm currently working on the detail conception, but I guess we could use a hash of the exam settings combined with a salt into an exam key. When you configure SEB, it will display this exam key which the administrator then could enter into the settings for the quiz in moodle. Then this exam key together with the requested URL could be used to check if the authorized version of the SEB browser is used for the exam, as you described it.
    This will particularly make sense with SEB 2.0, which will include support for new encrypted configuration files .seb with which every exam can be configured individually and quite securely. The .seb file can be downloaded from a exam portal page with some standard browser, when it's opened it starts SEB which configures itself accordingly. Like this exams with unmanaged (student) computers will make much more sense with SEB.

     
  • The question is who can implement this header check into Moodle? Could you please send me the link on the original discussion on moodle.org?

     
    • priority: 5 --> 7
     

  • Anonymous
    2012-11-19

    , you have already commented in the loophole discussion on moodle, so you have seen that, and I added the additinal comments from Tim in the above question which were emailed to me.
    Perhaps you can ask Tim if he would release a patch for moodle after you have modified SEB ? I guess he would as there is a need for this!

     

  • Anonymous
    2012-11-19

    Ps I started the moodle loophole thread, sound forge reign was too painful hence did not register,,, apologies for that!

     
  • Rajiv
    Rajiv
    2013-11-01

    Hi, following up on my initial request almost a year ago (and thank you for your efforts to achieve this progress) but when can we expect the windows version of the SEB?