Extended SSL Security for All Schoology Users and What That Means for You
In our continued commitment to keeping your students safe and secure while using Schoology, we have released SSL web page security for all pages on the site for all users, including the login page. For our enterprise clients, SSL security for all pages has been an option (since you provide the SSL certificate and key for us). However, for the past 6 months we have been committed to making this available to all users. As of today, all users should have SSL enabled access.
Previously, Schoology used SSL security limited to the login pages to protect sensitive information such as passwords and usernames. To learn more about the how's and why's of this change, please continue reading. Others interested in "just the facts" should proceed to the section, “This All Sounds Great! Is There Anything We Need to be Aware Of?”
What is SSL?
Wikipedia explains: “Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet.” In other words, SSL secures all communications between browsers and Schoology’s servers. SSL automatically encrypts user communications with Schoology, while preventing hackers and attackers from sniffing out sensitive data if the user is on an unsecured Wi-Fi hotspot or network (like those in local coffee shops, airports, etc.). You will know you are on an SSL-secured network by the presence of a lock icon on the browser.
*Note: This may look slightly different depending on your web browser
Why Require SSL System-Wide?
For the past few years, we have had SSL enabled for our login process to protect usernames and passwords from unauthorized users. However, since most activity occurred in protected, secure settings, there was minimal to no risk to the other pages even without using SSL. Industry standards are typically to use SSL only on the login, although a growing trend has been to protect all pages with SSL. This was especially true given the narrow focus of Schoology (e.g., academic content versus something like financial information).
Over the past year, there has been a seismic shift in the industry, particularly a movement towards 1:1 initiatives and bring-your-own-device programs (BYOD). This trend is inspiring and magnificent to watch, yet it has warranted our full attention to protect you and your students. As a company, we have noticed that mobile usage has shifted from being a small component of our traffic to a much larger one. In addition, our user base has grown and globalized; we have more than 2 million users across nearly every country in the world.
For users of our native mobile apps (a large percentage of our total mobile users), all traffic occurs through our API which has and always will use SSL to provide maximum protection. For web users, adding SSL provides extra protection for any user information. We have never experienced any security issues, however, we are being proactive and feel that at this time, given user demographics and the shift to mobile usage, we must take extra measures to protect your information.
If SSL is Important, Why Wait Until Now?
We will never compromise on security, and SSL is the best security protocol available today. Schoology constantly reviews its security and privacy policies, taking every measure possible to protect user information (e.g., roles, permissions, and privacy). With that in mind, implementing SSL at this scale for all users required careful planning, coordination, and execution to minimize the effect on site performance as well as content delivery.
For the past 6 months we engaged in a methodical planning and testing process. We began by testing and rolling out SSL across our free user base. Some of the issues we found included slower page loads and our load-balancers needing an upgrade to handle additional quantities of secure traffic.
Equally important was protecting user content, the copious amounts of academic material generated by users. This academic content comes in all shapes, sizes, and formats. Most of our users who develop content are not always aware whether or not the third-party content they are embedding into Schoology's LMS is served through HTTPS (with SSL encryption). This means that if we had simply (and without careful planning and forethought) enabled SSL, there would have been a significant chance that much of the user-created content and academic material would be damaged or lost. For this reason, we decided to wait until the end of the current school year to roll out system-wide SSL.
Waiting also gave us time to adjust content on the back end, thus minimizing user disruption. We could not afford risking the integrity of the system (images disappearing, for example) while students were taking final exams.
This All Sounds Great! Is There Anything We Need to be Aware Of?
Absolutely! For users developing content, or embedding third-party content into Schoology, it is important to utilize sources that provide SSL. For instance, when embedding a YouTube video, opt for the HTTPS version. Sometimes this is not possible, and in that case, users may see a notification telling them that there is “insecure content” on the page. If this notification appears, there should be a button or option presented by the browser to ignore the warning and display this insecure (non-HTTPS) content. For more information, please see our help article about this.
Okay, What’s Next?
Because we are committed to keeping Schoology safe and secure for our users, all Schoology webpages will be served through HTTPS. We will continue to explore every available system and protocol to do the best job possible. We are excited to make this change, and, as always, we would love to hear any thoughts, questions, or comments on this matter or any other!