Moodle LMS 4.3 – A Leap With Security

As an open-source enthusiast, I’m thrilled to see new developments in the open-source community. I’ve been a user of Moodle for more than 10 years, and have managed institutions with this LMS for about 8 years. More importantly, in the past five years, it’s been a key element in my day-to-day tasks ensuring that it is secure and available for all end users as it is a core component for instructor/student delivery material at the university. On October 9th, Moodle introduced Moodle LMS 4.3 as the newest chapter in its ongoing journey of empowering educators and learners with unmatched open-source learning solutions!

Among the many features it has enhanced, I am keen to point out the boosted security features:

  • In the past year and a half or so, I have been using the multi-factor authentication plugin that is maintained by Catalyst IT. From time to time it would break after every Moodle core upgrade, so I’d have to wait until the developers provide an update. However, it is now integrated into the code of Moodle’s core. This plugin leverages APIs to enable plugins to augment the login process instead of replacing it. This means that this MFA plugin can be added on top of any other authentication plugin resulting in a much cleaner architecture, and it means you can compose a solution that does everything you need instead of compromising by swapping out the entire login flow. Meaning this can still work with existing SSO flows for example.
  • It also improves 2nd factor verification flow – It has a new UI that is presented to the user after they have logged in (entered username and password etc.) The “verify another way” section shows other available (configured) MFA methods for that user
  • MDL-54704 – SSL support for connection to Postgres and MySQL Database. Moodle did not have SSL-support for the connection to a database for any of the supported DBMS. This might be unproblematic for moodle and database running on the same server. However, using separate servers, which is necessary for bigger moodle instances, allows potential man in the middle attacks.
  • MDL-67390 – Update password hashing to SHA-512 as the new algorithm and upgrading bcrypt on login (lazy upgrade).
  • MDL-72622 – Support TLS connections for Redis – Essentially, Redis v6 supports TLS connections, and this is the default setup for eg Azure Cache for Redis (disables access on port 6379, enables TLS connections on port 6380). The current Redis caching plugin makes an assumption that all connections are unsecured, and it would be good to support TLS where available.
  • MDL-76656 – Web service tokens should be read-once. If you forget it, then you create a new one.
  • MDL-50160 – HTTP only cookies (cookiehttponly) default set to on and UI setting removed, browsers were instructed to send cookie with real http requests only, cookies should not be accessible by scripting languages.
  • MDL-67774 – Specify password peppers in config.php. NIST guidelines from 2017 recommend a pepper as well as a salt.
  • MDL-53368 – Captcha available on login page. Having a captcha on the login page will add an extra layer of protection against user account brute force attacks and bot logins. This functionality will also bring the login form in line with the self signup form and site contact forms where captcha is already enabled.
  • MDL-69958 – Support /.well-known/password-change requests from password managers.
  • Most modern password managers will automatically scan for passwords which have been compromised and alert you to change them. There is a spec which allows password managers to blindly link to a well known url for resetting a password on any site: /.well-known/change-password Specifically for moodle this should redirect to: login/change_password.php
  • MDL-78801 – Add Auto logout settings for the mobile app. This is related to MOBILE-3838 which indicated that for security reasons it would be good if the app supports closing the user session when the user leaves the app or after certain time.
  • MDL-78698 – Deprecate random_bytes_emulate function. The function random_bytes_emulate (https://github.com/moodle/moodle/blob/master/lib/moodlelib.php#L8496) tries to generate cryptographically secure pseudo-random bytes. It does this by progressively falling back to alternate (worse) methods of generating random bytes.
  • MDL-78571 – Media: Allow Vimeo do not track option. Vimeo has the option to set a “Do not track” parameter when requesting videos. Setting this parameter to “true” will block the player from tracking any session data, including all cookies and analytics
  • MDL-62401 – Embed YouTube videos with nocookie extension. This issue adds a configuration option to the YouTube media player that when set the Moodle LMS generated embed code uses the youtube-nocookie.com domain.
  • MDL-75372 – Add logging for URLs which fail the cURL security helper blocking.

Overall, these security improvement streamlines compliance, enhancing reliability and user trust for organizations. Data protection and privacy are paramount. Moodle 4.3 aligns with General Data Protection Regulation (GDPR) standards, safeguarding user data and ensuring compliance with international data protection regulations. Kudos to the moodle team!