确保Tincan课程反击重播/欺诈性陈述 [英] Securing tincan course agains replay / fraudulent statements

问题描述

我们正在使用tincan api开设课程，以将课程进度报告给我们自己的学习记录存储(LRS).这些课程由第三方提供，并在用户浏览器中作为HTML页面运行.

We are having courses using the tincan api to report progress in courses to our own learning record store (LRS). The courses are provided by a third party and run in the users browser as HTML pages.

由于从课程发送的所有tincan语句都可以被操纵(简单的REST接口)，因此我们确定可以制作或重放LRS接受的课程成功"消息.

Since all tincan statements send from the course can be manipulated (simple REST interface) we identified that it would be possible to craft or replay a "course success" message which the LRS will accept.

• 有什么可能防止欺诈性消息?

• What possibilitys are there to prevent fraudulent messages?

什么是常见的保护层?

推荐答案

好问题！任何使用客户端代码的应用程序(包括任何SCORM软件包)都容易受到欺诈数据的侵害，因此这是需要考虑的重要问题.

Great question! Any application that uses client side code (including any SCORM package) is going to be vulnerable to fraudulent data, so this is an important issue to consider.

根据您的实际情况以及安全性对您的重要性，您可以采用三种大致的方法.

There's broadly three approaches you can take here depending on your exact situation and how important security is to you.

1. 无关紧要:

在许多情况下，在线学习要么是自我指导的，所以学习者没有动机去作弊，要么不够重要，以至于值得通过作弊来冒险影响您的职业.如果陈述的模式看起来很奇怪，或者学习者的后续行为与成功完成课程的某人的行为不匹配，则可能会检测到作弊并采取行动.

In a lot of cases online learning is either self-directed so the learner has no incentive to cheat, or is not sufficiently important that it's worthwhile taking the risk of impact on your career by cheating. Cheating may be detected and action taken by a human if the pattern of statements looks odd, or if the learner's subsequent behaviour does not match that of somebody who successfully completed the course.

比发送欺诈性声明(例如，向同事或朋友寻求答案)或在代码中找到正确答案等作弊作弊的方法还容易.安全性仅是最薄弱的一环，如果那个不是锡罐，那就没有必要在那儿集中精力了:如果墙壁上有洞，不要为门买大的锁.

There may also be easier ways to cheat than sending fraudulent statements, such as asking a colleague or friend for the answers, or finding the correct answer in the code. Security is only as good as the weakest point and if that point is not Tin Can, there's no point focusing your efforts there: don't buy a bigger lock for your door if there's a hole in your wall.

为支持此方法，Tin Can语句具有

To support this approach, Tin Can statements have an authority property that states who asserted the thing happened. This allows reporting tools and users viewing the data to determine how much they trust that data.

对于任何客户端跟踪，该信任级别应相对较低，但是在很多情况下都可以.请记住，找到人以提供工作的两种主要方法是简历和面试，这两种方法都依赖于员工的自我主张.重要的是要知道数据的可靠性.

For any client side tracking, that level of trust should be relatively low, but in many cases, that's ok. Bear in mind that the two main ways of finding out about people in order to offer them jobs are CVs and interviews, both of which rely on the employee's self assertion. The important thing is to know how reliable the data is.

1. 限制凭据:

如果必须使用客户端跟踪，可以通过限制用于启动内容的凭据的权限和范围来稍微提高安全性.考虑您希望课程发送的数据，并将凭据限制为该数据集.这种方法不会阻止单个学习者声称已通过该课程，但是会阻止他们发布有关其他学习者或其他课程的声明.它是损害限制，不是预防措施，但是可以使客户端跟踪的安全性达到与SCORM相同或略高的水平.

If you have to use client side tracking, you can improve security a little by restricting the permissions and scope of credentials used to launch the content. Consider what data you expect the course to send, and limit the credentials to that data set. This approach won't stop an individual learner claiming to have passed the course, but will prevent them from issuing statements about other learners or other courses. It's damage limitation, not prevention, but brings the security of your client side tracking up to the same level or slightly higher than you had with SCORM.

1. 服务器端跟踪:

如果安全性对您确实很重要，那么唯一的选择(在SCORM中不可用)是跟踪服务器端.有免费的开源代码库用于许多主要的服务器端语言.跟踪服务器端允许您从学习者计算机中隐藏凭据，因此，任何人获取这些凭据并发送欺诈性陈述的风险要低得多.

If security really is important to you, then only choice (which wasn't available in SCORM) is to do the tracking server side. There's free open source code libraries for many of the main server side languages. Tracking server side allows you to hide the credentials from the learners computer, so the risk of anybody getting at these credentials and sending fraudulent statements is much lower.

如上所述，您确实需要确保也解决了链的其余部分.如果在客户端标记了问题(学习者可以在代码中找到正确的答案)，或者无法验证被评估用户的身份(他们的朋友可以为他们进行测试)，则服务器端跟踪可能是无用的投资. ).

As I mentioned above, you do need to make sure you've addressed the rest of the chain too. Server side tracking may be a pointless investment if questions are marked client side (the learner can find the correct answers in the code), or if there's no way of verifying the identity of the user being assessed (their friend can sit the test for them).

如果您已经使用客户端跟踪(可能是由创作工具创建)来学习课程，则此选项可能是最昂贵的，因此您需要考虑安全性的重要性.一些采用者采用了将客户端跟踪用于学习体验的方法，随后进行了服务器端跟踪的评估.

If you've already got your courses using client side tracking, perhaps created by an authoring tool, this option is likely to be the most expensive, so you'll need to consider how important security is. Some adopters have taken the approach of using client side tracking for the learning experience, followed by a server side tracked assessment.

总而言之，如果做得正确，Tin Can有潜力比SCORM安全得多，但是您确实需要从头到尾地考虑整个过程，而不仅仅是跟踪.

All in all, Tin Can has the potential to be considerably more secure than SCORM if done right, but you do need to think through the whole process end to end, and not just the tracking.

让我知道您是否对这三种方法中的任何一种都有后续问题.

Let me know if you have any follow up questions on any of these three approaches.

这篇关于确保Tincan课程反击重播/欺诈性陈述的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！