Building A Classroom Teacher's Site with Joomla Part 3 - why use SSL for a school website?
We have set up IP numbering, DNS, routing, and http service for my friend Lisa's new classroom site. We have a website up at her domain, with an index.html that only contains the line "THIS IS LISA'S SITE !!! YES !! IT WORKS !!" in plain text. So, we are moving right down the list we outlined in the first article in the series.
Before we move on to installing a database for her site, and instaling Joomla, now is a good time to install SSL and give the site the security afforded by encryption. SSL, or "secure sockets layer" was first developed by the old Netscape back in the 1990's. It's properly called TLS or "transport layer security" now, and encompasses much more than mere website encryption. I can go in depth into these topics, and the OSI model of network layering, in another article. Here, let me say briefly and simply that we need to encrypt the traffic going in and out of this website, because it's very easy to copy off the packets by controlling any machine along the pathway between browser and website, and if the packets are not encrypted, then all the information, including passwords, private correspondence, grades, personal information about children, etc., is easily readable in plain text. The website visitors will have no knowledge or indication that all their traffic is being read by a third party. Taking it a step further, it's also entirely possible that this "man-in-the-middle" can not only read this traffic, but can also modify the the datastream on the fly.
From a legal and business standpoint, I feel it's in my best interest to make the site as secure as possible, in addition to being in the best interest of the school, Lisa, and most importantly, the children. Some school website companies do not do any kind of encryption, notably SchoolFusion, which is amazing to me, because they're taking a risk that I wouldn't want to take.
Let's give a real world example of a likely problem that might occur. Let's say that one or more of the bright kids in the school is given an assignment or responsibility to help with the school network. Through his work, he is able to obtain the passwords to the primary switch used in the school LAN - the switch that connects to the border router that interfaces with the internet. He then mirrors the ethernet port connected to the border router to another port which is connected to a computer, maybe in a lab or whatever. He then can use various packet sniffing and parsing tools which are available out on the 'net, like Honeysnap and Network Generals' "Sniffer" for instance, to separate out the packets and make what he is interested in, readable in plain text. Now when Lisa logs into her non-SSL website from school, he has her username and password and has obtained administrative privileges to the class or school website. He can then modify grades, change assignments, etc., etc., and basically run amok, or if he is smart, he can sit like a fly on the wall for months or even years and only make very few subtle changes that might benefit him or his friends. Or he can harass other students, since he also has their passwords and can read their mail and etc., - the possibilities for mischief are endless.
If he has access to the router itself, or uses a tool like netcat, he can redirect the mirrored traffic offsite and sit at home and read people's communications at his leisure. Further he can easily hide his real IP number using The Onion Router network or similar, and thus escape identification, even if his network sniffing is detected.
Don't kid yourself - this stuff is not some far-out fantasy. It really happens, it's happening now in many places in the world, and I've seen such situations many times in my career. I've done such things to my own or others' network several times at the request of law enforcement, who subpoena'd us or hired me to track the traffic of suspects. The skills needed are not out of range for a bright kid. They call them "script kiddies" because they download and use pre-made hacking tools - they don't have to invent anything new.
OK, well that's enough of the why we are installing encryption. Those that are knowledgeable may be bored by this but I feel that some educators who are not network engineers will be reading these articles, and I'm hoping to make some of these things clear to those folks. Now let's get to the nitty gritty of actually installing SSL on our friend Lisa's classroom website.
<.. continued in next article ..>
