Stephanos @ 14th December 2012, 9:02 pm wrote:
However, in case of LanSchool, the server program (LanSchool Teacher) that signs all of its sending packets is exposed to public- must be distributed to all school computers (and so must be the private keys). As an alternative, even if you store the private key (would be pfx file for certificate) separately on a network location only accessible by certain user accounts (possibly SMB with AD), it is only a matter of time until someone eventually intercepts or obtains (using any means of method) the private key (as you see, by common design practice, transferring a private key over the network in a frequent manner is never a recommended method.) In my personal opinion, I would not consider this to be a complete or permanent solution. However, on the other hand, since who we are dealing with here is just a bunch of high students- not a group of professional hackers- I suppose this rather comes out to be a simpler and acceptable solution than I thought earlier.
Well i am assuming the teachers and school network admin know what they are doing and can stop the private key from being stolen. If not you could store it on a USB key or encrypt the private key with a paraphrase (or do both for maximum security). They might also be able to use LDAP to share the private key with only the correct user and have it automated on login in to there windows/network account. You would have similar issues with any system. For example with a centralized system, an attacker could steal the teachers login details with a key logger or some other attack out side of the system.
In any case the point is LanSchool has many options to pick from that would make the system reasonably secure. Hopefully they will see your blog post and act on it.
They where recently bought by stone-ware, which seem to be big on cloud computing so they may have already drastically changed how LanSchool works. It looks like they now have a "Classroom Management from the Cloud" feature which I am guessing would require a centralized system.