sniffing syncing traffic

erikringmar

Hi,

I'm running a course where I'm using Zotero to share material with students. It's important to me that no outsider is able to sniff out what material we are sharing. The course is private but what about the syncing traffic? Is there a way for outsiders to sniff that out (I'm using a SSH tunnel myself, but my students aren't).I'd really like to know that the syncing process is completely secure.

ajlyon

The sync server and API server support only HTTPS. This can be cracked, of course, but it's probably not the weakest link in your security. I'd be much more concerned about a student computer with a trojan that gave access to the library locally.

erikringmar

Hmmm ... I teach in a country not well known for its defense of free speech. Some of my material is controversial. What to do about Trojans on student computers?

ajlyon

This isn't really the place for such general advice on securing computers, but I don't know if I would ever make the assumption that things I share with my students have much chance of being private. Teaching is about openness, at a rather fundamental level. Once you give someone knowledge, you can't really control what they do with it.

adamsmith

nothing - if the government of a country really wants your course data it will get it.

Only a group of very sophisticated users with no weak link would be able to prevent that and that would involve a major degree of quasi-paranoid activity.

Zotero is at least as safe as any other form of online communication - if security is really a concern, don't include controversial material in the online course documents at all - stick to paper versions.
How far you want to take it is really a matter of what risks we're talking and what level of government repression.

edit: overlapped with ajlyon, but seems like we agree.

erikringmar

That sounds nice and fine and I agree. What my students do with their knowledge is up to them, but I have an obligation to make sure that my course doesn't get them into unnecessary trouble. But I take your point about this being the wrong forum for trojans. However, any advice on how to make Zotero syncing more secure from sniffers would be appreciated.

adamsmith

Zotero sync is safe by industry standards - it uses essentially the same type of encryption banks and credit card companies use. I'd go further than ajlyon and say that it's safe to assume that if someone wants your course data, sniffing https encryption is not going to be the way they go about that.

erikringmar

Adam, thanks. I understand. But some material is difficult to share in paper form -- the files are too large or it's a question of YouTube clips. We don't have access to YouTube in our country, but I wanted to share some of my downloads with my students. Some kind of encryption on the syncing would be great.

erikringmar

Adam, thanks again. That's very reassuring. None of the material is actually compromising to the students, or truly politically subversive. It's just that you never know what a gov't censor might be up to -- I guess they have their grumpy days at work too.

ajlyon

The files are all encrypted while in transit -- that's what SSL gives us. Adamsmith is right-- sniffing HTTPS traffic is much harder than any of a thousand ways for security services to find out what you're doing in your classes.

ajlyon

But it is worth mentioning that SSL has been having some bad days recently: http://www.theregister.co.uk/2011/04/11/state_of_ssl_analysis/

erikringmar

Thanks, Ajlyon, I'll keep that in mind. We should be OK (lets hope).