FIELD OF THE INVENTION
The present invention relates to the field of human computer interfaces for documents, preferably structured documents having information objects, in which the information objects are secure.
BACKGROUND OF THE INVENTION
Secure browsers are designed to provide a secure environment to deliver valuable content and assessments such as tests and exams. Web servers can deliver questions to any web browser, but most browsers are designed to be as open and flexible as possible. When you are delivering secure content or assessments online you need far more security than most browsers provide.
With a secure browser, a content provider can specify that secure content such as a test or an exam may only be delivered in such manner as to significantly reduce the likelihood of cheating, or inappropriate disclosure of sensitive content.
Secure browsers allow a content provider to prevent users from printing questions, using the right-click on the mouse, saving the HTML, viewing the source, and accidentally exiting an assessment in a proctored environment. The look and feel of the screen displayed may otherwise correspond to that of a normal browser, except pages may not be stored (cached) in the history, and certain menu options and icons are not displayed or are made unavailable.
Web browsers are typically flexible and open programs which aid the user in navigating the Internet, running programs or applets, and giving the user full control over what he/she is doing. But when browsers are used to take assessments, it's desirable that the user should not have full control and open access. Since the assessment is designed to measure knowledge or a skill, and sometimes has consequences for passing or failing, it's desirable that what the user can do is restricted; essentially the user should only take the assessment and not be able to perform other tasks. For example, it can be desirable that users should not be able to navigate the Internet (where they might find right answers), communicate with others, run other programs, print the screen or copy the questions to other people and so on.
This need has given rise to “secure browsers” or “locked down browsers” or “kiosk software”, which are versions of standard browsers which limit the functions that the user can perform. Computers which are used to deliver assessments therefore typically have secure browsers installed, and these lock down the computers to prevent unauthorized actions while taking an assessment.
These secure browsers fulfill needs in situations where users take assessments on their own. But very often assessments are mixed in with other uses of the computer. For example, a learning management system might accept a student's login and allow him or her to choose an assessment; a student might undertake some online course (where they are allowed free use of their browser) followed by an assessment (where they are not); or a corporate executive might use their corporation's intranet, and then be scheduled for a business rules or product knowledge or safety regulation exam. Therefore, other secure browser products such as the Vantage Vanguard™ 3.0 secure desktop environment, Questionmark's own, prior Perception Secure Browser product, or Software Secure's Securexam Browser lack this flexibility, making full use of the computer in both secure and insecure modes difficult. Other secure browsers need to be specifically launched to take the assessment; they cannot be launched on demand by an ordinary browser, when secure content delivery is required.
In such mixed scenarios, it would be desirable to have a browser which can become secure when an assessment (or other secure content) is started and then become open again when an assessment (or the secure content) is finished.
Essentially the problem may be stated that it is desired that secure content to be called from insecure content, with the secure content run securely. Likewise, it is desired that an open user environment be triggered into a restricted user environment, with some assurance that the restricted conditions be maintained.
The following patents, each of which is expressly incorporated herein by reference in its entirety, relate to known testing and/or assessment systems:
U.S. Pat. Nos. 3,654,708; 4,486,180; 4,671,772; 4,764,120; 4,793,813; 4,798,543; 4,877,408; 4,895,518; 4,978,305; 5,002,491; 5,011,413; 5,059,127; 5,170,362; 5,176,520; 5,180,309; 5,195,033; 5,204,813; 5,211,563; 5,211,564; 5,259,766; 5,261,823; 5,334,326; 5,372,507; 5,433,615; 5,437,553; 5,437,555; 5,441,415; 5,496,175; 5,513,994; 5,545,044; 5,565,316; 5,577,919; 5,597,312; 5,618,182; 5,657,256; 5,727,950; 5,743,743; 5,813,863; 5,879,165; 5,947,747; 6,112,049; 6,162,060; 6,259,890; 6,112,049; 6,418,298; 6,551,109; 6,513,042; 6,505,031; 6,498,920; 6,482,012; 6,482,011; 6,468,085; 6,449,598; 6,431,875; 6,418,298; 6,393,107; 6,341,212; 6,302,698; 6,282,404; 6,261,103; WO 01/93161
SUMMARY OF THE INVENTION
It is possible to have a secure browser with secure and open operating modes, which checks whether the content of each page is secure or not before deciding how to display it. But this requires the secure browser to be running in advance of reaching the secure content. Also this would require every page of the secure content to be identified as secure and have security checking in it, whereas it would be more desirable only to security check on initiation. It is preferable to allow use of standard browsers for ordinary use, not special ones.
According to a preferred embodiment of the invention, web content (HTML, XHTML, XML, etc.) may be maintained as secure, in that participants can view and interact with it, including sending back responses, but participants should not be able to run other programs while viewing it, should be limited in their ability to navigate through the content in ways not permitted by the content, should not be able to see the source code of the document (e.g., HTML), and/or should not be able to copy or export it in any way. This is called “secure content”. There are means of displaying secure content at present, but these need to be specifically started by the participant prior to encountering the secure content. The present invention covers methods and apparatus for allowing the display of the secure content through a secure browser which is launched automatically when such secure content is encountered. Typically the user would encounter a reference to the secure content within ordinary content, and would choose or be directed to run it. The secure content is identified, for example, by a MIME type (or other type that browsers can recognize), which causes the initiation of a new program, a secure browser, to run that MIME type. When the secure browser is installed, it is associated with the MIME type and any file extensions defined for the MIME type. It might also be possible to automatically download a secure browser, either as a separate application or applet, when the MIME type is first encountered.
It is particularly preferred that either the server test to ensure that the secure browser is installed before transmitting the secure content, or providing the secure content in encrypted form and prevent decryption except by a properly installed secure browser. If the secure browser is not installed correctly, the server host will not allow transmission and/or use of the secure content by the participant. Communication from the secure browser to the host of the secure content therefore preferably includes information to allow the host to verify that it is communicating with the secure browser. The secure browser then runs the secure content, providing limited functionality to prevent the participant from taking restricted actions, which may be defined by the secure content, and/or the server host. Once the secure content is finished, the secure browser closes itself.
A particularly preferred aspect of the invention provides that a user access of secure content invokes the secure browser, which otherwise is uninvolved in content viewing.
The Secure Browser is designed to provide a secure environment to deliver assessments such as tests and exams. Servers can deliver questions to any web browser, but most browsers are designed to be as open and flexible as possible. When assessments are delivered online far more security is required than most browsers provide. The test author can specify that a test or exam may only be delivered via a secure browser, to significantly reduce the likelihood of cheating.
The test author can configure a cooperating server to only deliver assessments to a secure browser. This feature allows restriction of users from printing questions, using the right-click on the mouse, saving the content or portions thereof (e.g., HTML source), viewing the source, and accidentally exiting an assessment in a proctored environment.
The look and feel of the screen displayed may be very similar to that of a normal browser, such as Internet Explorer, although the pages are not stored in Internet Explorer's history listing, and some navigation buttons and toolbars are usually omitted. Likewise, various components of a host browser or operating system may be employed for content presentation, rendering, and use.
The present method and system enables high stakes testing to be performed from a computer lab or training room, without any special configurations. Secure Socket Layer protocol (https:) may be used to frustrate network sniffing, and provide an authentication protocol to start delivering high-stakes tests.
The Secure Browser provides the same facilities as typical browsers, but it incorporates many additional security features. It may also be of interest for other applications where a secure browser is needed.
Ordinary browsers can be configured to provide a more secure environment in the following ways, among others:
Using the browser in kiosk mode
Using the administration kits made available by Microsoft and Netscape
However, none of these approaches are completely secure. Participants can always exit the browser, and can usually side-step your protection with special key presses or with the right-mouse context menu. Secure Browser has various security features that address these issues.
Security Features in Secure Browser
The Secure Browser may have the following security features:
|Secure Browser versus Ordinary Browsers |
|Security Issue ||Ordinary Browser ||Secure Browser |
|Printing and ||Participants can print out ||All printing is disabled unless |
|copying ||questions, or copy them into ||Secure Browser is configured to |
| ||applications to pass onto others. ||allow printing on the current page. |
| ||Even with assessments using ||Copying documents or screen |
| ||random selection from a question ||shots to the clipboard is also |
| ||bank (so that each test is ||disabled. |
| ||different), the question bank is not |
| ||of unlimited size. |
| ||So if many participants copy the |
| ||test they have received, the full |
| ||question bank will not remain |
| ||secret for long. |
|Screen display ||Participants can change the ||Assessments always take up the |
| ||screen size and use other ||whole Windows display. |
| ||software from the desktop, and ||No browser menus are presented. |
| ||use the navigation buttons and ||The toolbar can be hidden or its |
| ||menu items. ||buttons enabled or disabled. |
|Screen refresh ||Participants can disrupt the ||Refresh (reload) the screen is |
| ||testing process inadvertently. ||disabled unless Secure browser is |
| ||For example, it's common to ||configured to allow refresh on the |
| ||present several questions in one ||current page. |
| ||document, but not submit the |
| ||answers to the server until a |
| ||“submit” screen button is pressed |
| ||after they are all answered. |
| ||If the participant answers some |
| ||questions, and then refreshes |
| ||(reloads) the screen, the |
| ||unsubmitted answers will be lost. |
|Shortcut keys ||Participants can pretend that the ||All browser control keys and right- |
| ||software failed, in order to ||mouse context menus are |
| ||invalidate their attempt (if they ||disabled. |
| ||know they are doing badly). ||The only way to exit Secure |
| ||For example, they might press ||browser is from the toolbar if it is |
| ||Ctrl+W or Alt+F4 to close the ||visible or by having a button |
| ||browser, or Backspace to go back ||provided by the server to exit. |
| ||in the browser and lose their ||Unless the participant is prepared |
| ||current answers, and pretend it ||to turn off the machine, they cannot |
| ||was inadvertent or was a software ||disrupt the assessment. |
| ||error. |
| ||This is a concern when a |
| ||participant is limited to a |
| ||maximum number of attempts (for |
| ||example, three in their lifetime) or |
| ||must wait a fixed time before |
| ||retaking an examination if they fail |
| ||it. |
|HTML source ||Participants can view the source ||HTML source documents cannot |
| ||of the HTML documents. ||be viewed. |
| ||Although the system does not put |
| ||any sensitive information like |
| ||correct answers in the source of |
| ||HTML, there is some information |
| ||that could be of interest to |
| ||someone trying to subvert the |
| ||system, for example the URLs to |
| ||graphics or multimedia objects. |
|Other URLs ||Participants can access other ||The participant can't enter a URL. |
| ||URLs while taking a test, for ||A start URL is defined, and the |
| ||example websites that might ||only other URLs that can be |
| ||contain the right answers to the ||navigated to are those linked to |
| ||questions. ||from the assessment. |
|Other software ||Participants can use other ||No other software is available to |
| ||programs on their PC, for ||the participant. Task switching is |
| ||example, spreadsheet or ||disabled, and other programs |
| ||calculator programs or email ||cannot be run. |
| ||clients. |
|Application ||It's possible to capture the ||A secure browser can detect all |
|capture ||screens presented in a variety of ||other processes and applications |
| ||ways including using screen ||running on the PC, and either |
| ||capture programs which capture ||refuse to run if certain applications |
| ||the screen every few seconds or ||are running, automatically shut |
| ||screen sharing programs which ||down any processes or |
| ||allow you to application share and ||applications on a “black list” of |
| ||copy your screen to other ||known problem applications and/or |
| ||computers. ||keep a list of all the processes and |
| || ||applications running on the |
| || ||computer at the time of delivery of |
| || ||the secure content, and include |
| || ||this list with the test results, so that |
| || ||a future audit can check whether |
| || ||any unsuitable processes were |
| || ||running. |
The secure browser is most secure when it is run on a controlled PC, for example in an exam center or in a controlled computer lab. If you can control the PC being used for the assessment, you can make a completely secure environment to take tests in. But a secure browser can also be used when delivering tests remotely, when a participant uses their normal PC at home or in their office to take assessments. The test administrator can use a template setting that forces any assessment that uses the template only to be available if the assessment is being taken with secure browser. The assessment will not run in any other browser, even if it is being taken remotely. This won't deal with all the above concerns; for example, other URLs can still be accessed on a second computer. But it will still be very difficult to print out tests or copy them to other applications to pass on to other parties.
To improve security, the PCs used by participants should be booted up and the secure Browser should be started before the they arrive. It may be possible to automate this in some way, either by putting Secure Browser in the Startup folder, or by using other tools. The system may be vulnerable if the PC can be turned off and then re-booted, since this will exit Secure browser. It is possible to supervise the PC to prevent this. Some organizations also use closed circuit TV or a video camera to record exam centers to monitor such attempts to bypass the security.
In order to frustrate attempts to capture ASCII or text data from secure content, this may be transmitted and/or rendered as a graphic content object, rather than as a text object.
The present system and method may thus be used to: Stop people from printing questions; Stop people from typing in their own URL; Always display in full screen so it's not possible to maximize or minimize; Avoid display of menu options or icons; Disable control keys; Disable right-click menu options; Prevent going backwards to a previous page; Stop people exiting in a high stakes, proctored, environment; Prevent running other programs, like a calculator or spell-checker, if this is desired; Hide the HTML source; Prevent application capture and application sharing; and Provide an API to control certain functions of a browser from the server; command the secure browser, by a cooperative server, to display a toolbar;
The following can be enabled from the server if the assessment requires these features: Print the current page; Close browser; Back button; and Refresh the current page
The present invention provides three particular aspects of interest: (a) Launch of a secure browser from a regular browser; (b) Indicate which web page to ‘get’; and (c) Server authentication that the correct browser has been launched
Launch of a Secure Browser from a Regular Browser
Internet technologies allow a MIME type to be specified to indicate to the computer operating system which program should be used to display the content. The MIME type may be defined by the file extension or the Content-type header returned by a web server. The present invention, for example, specifies a new MIME type of “Questionmark Secure Browser” (or equivalent) which starts the secure browser to display the assessment or e-learning content that requires more security than a normal browser would provide.
A web page contains a link (triggering link) that, when accessed, passes a MIME type to indicate that a secure browser is required to display this content.
Indicating which Web Page to ‘Get’
While the MIME type specifies that the content must be displayed in a secure browser, it doesn't specify where the content is located. There are three general alternatives: (1) Allow the original link to specify the URL or the content so that the secure browser can call the content using a normal http GET command; (2) Allow the secure browser to have a system configuration that allows the secure browser to be triggered to call a specific URL or IP address; and (3) Allow the secure browser to have a system configuration that allows the secure browser to be trigged to call a specific URL or IP address along with a parameter that was provided as part of the trigger (combining (1) and (2), above—the server URL/IP address is configured within the secure browser while the specific assessment and other details is defined in the trigger). It's also possible to have the cooperating server provide some of the details.
Server Authentication that the Correct Browser has been Launched
While the MIME type specifies that a secure browser should be used, it is possible that other applications could intervene and display the content insecurely. Current browsers can do this by indicating their name in the HTTP User-Agent header, but this can be ‘spoofed’ or forged quite easily. These limitations require there be a method of authentication to confirm that a secure browser is truly running within the users' environment. This can be effectively accomplished by the secure browser authenticating itself in the HTTP headers or other information it sends to the web server. Likewise, there can be an exchange of information between server and secure browser, for example similar to the Kerberos protocol or IEEE-1394 Digital Transmission Content Protection (DTCP), to authenticate the browser and/or the server to one another, as required.
Cryptographically secure authentication methods include, but are not limited to: Shared secret (a key is configured within the secure browser and at the server; the keys must match to allow authorization); Exchange of tokens based on shared secrets; Exchange of limited life tokens based on shared secrets; Exchange of public and private keys (public key encryption); and Specific values in the HTTP_USER_AGENT or other HTTP keys.
It is therefore an object of the invention to provide a secure user interface method, for interacting with a user through a browser, the browser providing a set of navigational functionality, comprising requesting a document from a cooperative server; receiving data in response to the request; automatically determining whether a secure browser is required to be employed, for example based on a type code or type encoding, the secure browser defining a set of functionality restricted with respect to the functionality of the browser alone; invoking the secure browser; receiving the secure content for presentation in the secure browser; and communicating an input from the user, through the secure browser, to a cooperative server. The functionality may be limited navigational functionality (e.g., access of unrestricted documents, documents outside a specified set, or access of other applications or windows), data manipulation functionality, data export functionality (e.g., print, copy, save, cut, paste, etc.), or the like. The server may authenticate the secure browser, and likewise, the secure browser may authenticate the server, before presenting the secure content. The secure browser may restrict termination of its own execution.
The secure browser may be granted principal application level control over graphic user interface inputs from a user, and/or exclusive control over graphic user interface functionality when invoked.
Additional Protection of Graphics
Additionally, the secure browser may protect graphics, multimedia or other resource files referenced from within the HTML, XML or other secure content technology in the pages being accessed by the browsers. The resources, for example, are delivered by a content server, configured to detect the secure browser and only deliver to this, in the same way that the main content itself is protected. This would deal with the issue, common in Internet testing, that even if a test is protected, the graphics within it are not. The secure server, in this case, may be the same or different from the secure server delivering the text. It is further possible to provide direct secure server intercommunication, or to use the secure browser to pass messages between secure servers, which may include, for example, authorization tokens, financial accounting information, indexes or content identification information, or the like.