Jump to content
Chinese-Forums
  • Sign Up

new HSK security concerns


Recommended Posts

Posted

[Edited] When connecting to chinesetesting.cn, for instance to register for an HSK test,

the connection is unsecured, so anyone spying on the network can see not only your username and password, but also your detailed identity information (full name, birth day, address, passport number...).

(I had a moment of incredulity and thought "perhaps they use some kind of Javascript encryption method that does not show as https". Nope, I checked, all data in the clear.)

At the very least I advise everyone to avoid using that website over a wireless connection, to avoid tempting hobbyist hackers. But serious hackers can spy even on physical wire, so the probability of identity theft is not null however you connect.

(And, I am aware that even https is not absolute protection, but at least it can deter some of the would-be hackers.)

What to do about this? Has anyone contacted the HSK organizers in China before?

I was thinking we could massively send polite messages to Hanban requesting they change their website to secure both the individual applicant and the testing center staff interfaces of course, plus any correcting/administrative staff interfaces.

Posted

Because JavaScript runs client-side only (except node.js, of course), there's no safe JavaScript encryption, and even more so when a third party can read the data being sent over the network. Like you said, Hanban needs to implement HTTPS, which is pretty much 100% secure as long as they use a key that's long enough. It's not hard to implement HTTPS either, but somehow I think that trying to get Hanban to switch to HTTPS is going to be harder than getting a perfect score on the HSK...

Posted

I'm afraid you are right, Hanban will probably be difficult to move...

Sooner or later there will be a big scandal...

Posted

That's also how you registered for HSK. If you didn't do it yourself, the testing center did it for you, and I'd bet the web page they use isn't secured either...

(in addition to the paper application itself which the testing center might not shred before throwing away).

  • 1 month later...
Posted

A lot of companies work like this: Ignore user safety until a scandal hits.

Normally I avoid such companies, but there aren't that much alternatives to HSK if you need a HSK certificate.

Posted

True. I have been looking at alternate tests, however I have not checked whether they take privacy seriously or not.

There's the Taiwan test (former TOP), and now the French government has launched a practical test of Chinese (among other languages) which is supposed to be graded according to CEFR levels... but I think it has been offered only once so far for Chinese learners.

Posted

In 2009 I tried to get Hanban to stop linking to the 2007 HSK schedule, with no success. Good luck on getting them to fix this...

To be honest, given the number of landlords, property agents, hotel receptionists and visa agents that already have that info, and in some cases high quality scans of my passport, I'm not sure I'd let it stop me taking the exam, if I was planning to.

  • 2 weeks later...

Join the conversation

You can post now and select your username and password later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Click here to reply. Select text to quote.

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...