The HTTPS Everywhere campaign received a small boost this week with a commitment by a UK schools technology provider to roll out secure logins for a service used by many educational establishments.
Reg reader and former school governor Paul F tipped us off about security shortcomings of the RM Easymail which he claimed were so severe that he baulked at using the service, a supposedly more secure alternative to personal webmail accounts for school governors and the like.
“I was a school governor for about 14 years, and towards the latter part of that time the governors were 'encouraged' (ie, forced) to use school-assigned email accounts, as governors' personal email accounts were deemed insecure,” Paul F explained. “We were all allocated email accounts for the 'RM EasyMail' service. The email containing our logins and passwords was sent to all of us, naturally, but after I looked at this web-based email service I refused to use it as it didn't appear to use encryption on the login screen.”
A quick Google reveals that insecure logins for RM EasyMail remain commonplace in the schools sector (we sent a few examples along with our query). El Reg put our tipsters' security concerns to RM Education, which responded promptly with a statement acknowledging the issue while providing reassurance that its was encouraging schools to move towards more secure systems.
RM Easymail can be used via SSL encryption but requires some action on behalf of each customer. Many customers are already using this mechanism to access RM Easymail.
For those school domains that you’ve listed we will make proactive contact to help them through the process of enabling SSL. Following your enquiry we recognise that we may not have made this option clear enough to schools and so we will take action to remedy this, including a notification on the login page.
It’s also worth noting that we are currently trialling the migration of RM Easymail customers onto cloud-based email platform; Outlook Office 365 from Microsoft or Gmail from Google Apps for Education. The trial is to ensure that our customers receive a smooth and hassle-free transition. We will then launch the service on completion of successful trial sites.
Paul F was somewhat unconvinced about this response. “It has been unencrypted for years, so they're not exactly proactive,” he told El Reg. “I would have thought a redirect to an https link would have been simple enough to implement.”
That’s as maybe but RM’s reply explains that a sysadmin has to turn on SSL in the settings for each particular site to enable secure logins. It’s unclear why encryption wasn’t applied by default in the first place. In any case, Paul F’s experience suggests awareness of the importance of secure logins in safeguarding login credentials and other important information is somewhat lacking in the UK schools sector.
“When I pointed out the lack of TLS for the mail login screen at the school, it fell on deaf ears,” Paul F explained, “perhaps as you'd expect for a load of non-techies. The irony was that RM Easy Mail was introduced as a security measure, as using individuals' personal email accounts was deemed insecure.
“Anyway, I refused to use it, and they had to print everything out for me,” he added.
RM Education earned its stripes in the education sector supplying PCs & software to schools as plain old RM before morphing into a major supplier of everything IT-related in the educational market. ®