#26 unable to ensure if secured version of SEB is being used

closed
nobody
SEB (18)
7
2015-07-24
2012-11-09
Anonymous
No

Moodle needs SEB to open the quiz, but there is no check to ensure that the configured SEB instance is being used A student can easily download another copy externally, and make it customized to avoid the locks that have been put in the secured SEB and hence still answer the quiz.
Can there be some kind of secured communication, between the moodle server and the SEB on the client machine which checks if this is the authorised version of the SEB browser and then allows the test to open?

One suggestion by Tim Hunt at moodle.org is as under:
I think that a reasonable design for a more secure system would be something like this:
Change safe-browser so that it sends an additional header with every HTTP request like
X-SafeBrowser-RequestHash: { here we put SHA1 of some things, e.g. the requested URL concatenated with a salt compiled in to the software }
Moodle can then verify that header is correct, but only if the admin knows the right secure salt (because they compiled this version of SEB) and can enter it into Moodle.

any suggestions?

regards

Discussion

  • Daniel Schneider

    We discussed this topic and like the suggestion for the additional header in every HTTP request, this was also one of our ideas for improving security. I'm currently working on the detail conception, but I guess we could use a hash of the exam settings combined with a salt into an exam key. When you configure SEB, it will display this exam key which the administrator then could enter into the settings for the quiz in moodle. Then this exam key together with the requested URL could be used to check if the authorized version of the SEB browser is used for the exam, as you described it.
    This will particularly make sense with SEB 2.0, which will include support for new encrypted configuration files .seb with which every exam can be configured individually and quite securely. The .seb file can be downloaded from a exam portal page with some standard browser, when it's opened it starts SEB which configures itself accordingly. Like this exams with unmanaged (student) computers will make much more sense with SEB.

     
  • Daniel Schneider

    The question is who can implement this header check into Moodle? Could you please send me the link on the original discussion on moodle.org?

     
  • Daniel Schneider

    • priority: 5 --> 7
     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2012-11-19

    , you have already commented in the loophole discussion on moodle, so you have seen that, and I added the additinal comments from Tim in the above question which were emailed to me.
    Perhaps you can ask Tim if he would release a patch for moodle after you have modified SEB ? I guess he would as there is a need for this!

     
  • Comment has been marked as spam. 
    Undo

    You can see all pending comments posted by this user  here

    Anonymous - 2012-11-19

    Ps I started the moodle loophole thread, sound forge reign was too painful hence did not register,,, apologies for that!

     
  • Rajiv

    Rajiv - 2013-11-01

    Hi, following up on my initial request almost a year ago (and thank you for your efforts to achieve this progress) but when can we expect the windows version of the SEB?

     
  • Daniel Schneider

    Implemented in SEB 2.0.

     
  • Daniel Schneider

    • status: open --> closed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks