The Gauteng Department of Education (GDE) has told MyBroadband that its new online school admissions application system is secure.
“All security aspects regarding the infrastructure and firewall are in place and SSL is implemented,” the department said.
However, security expert Dominic White from SensePost disagrees.
“It looks like it’s asking for personal information with no TLS [Transport Layer Security] implemented,” said White.
White said some web applications will submit confidential details over an encrypted channel even if there is no TLS on the site itself, but the GDE admissions portal doesn’t.
What is the risk?
“Specifically, the risk here is that anyone able to intercept your communications, such as ISPs or people actively sniffing traffic on open Wi-Fi networks, would be able to see your information,” said White.
He said your Internet service provider already has this information for the most part, and that he can’t imagine scores of people using this service on Wi-Fi networks filled with people monitoring them.
Getting the basics wrong
However, TLS is one of the basic security requirements for a site such as the GDE’s new online admissions portal, said White.
If such a basic feature is missing, one has to wonder how much due diligence was done.
White said that without checking – which would be illegal without first receiving permission from the GDE – there is no way to know how secure the site is.
Update: Since the time of writing, the GDE has since implemented TLS on the new admissions portal. The Qualys SSL Labs server testing tool gives it a failing grade.