90% of SSL VPNs are ‘hopelessly insecure’, say researchers

Computer says "...oh"

Nine in 10 SSL VPNs use insecure or outdated encryption, putting corporate data at risk in the process, according to new research.

High-Tech Bridge (HTB) conducted large-scale Internet research on live and publicly-accessible SSL VPN servers. The firm passively scanned 10,436 randomly selected publicly available SSL VPN servers (taken from a scope of four million randomly selected IPv4 addresses) from the largest vendors, such as Cisco, Fortinet and Dell.

The scan uncovered numerous problems, as summarised below:

  • Three in four (77 per cent) of tested SSL VPNs still use the obsolete SSLv3 protocol, which was forged way back back in 1996. About a hundred have SSLv2. Both have been subject to numerous vulnerabilities and weaknesses over the years and neither is considered safe.
  • Three in four (76 per cent) of tested SSL VPNS use an untrusted SSL certificate, opening the door to potential man-in-the-middle attacks. Hackers might be able to set up a counterfeit server impersonating the real deal before harvesting data sent over a supposedly allegedly “secure” VPN connection. Usage by corporates of default pre-installed certificate from the vendor is the main cause of this problem in practice, according to HTB.
  • A similar 74 per cent of certificates have an insecure SHA-1 signature, while five per cent make use of even older MD5 technology. By 1 January 2017, the majority of web browsers plan to deprecate and stop accepting SHA-1 signed certificates, since the ageing technology is no strong enough to withstand potential attacks.
  • Around 41 per cent of SSL VPNs use insecure 1024-bit keys for their RSA certificates. RSA certificate is used for authentication and encryption key exchange. RSA key lengths below 2048 are considered insecure because they open the door to attacks, some based on advances in code breaking and crypto-analysis.
  • One in 10 of SSL VPN servers that rely on OpenSSL (e.g. Fortinet), are still vulnerable to Heartbleed. The infamous Heartbleed vulnerability, discovered in April 2014, affected all products using or relying on OpenSSL, creating a straightforward way for hackers to extract sensitive data such as encryption keys and more from the memory of unmatched systems.
  • Only three per cent of scanned SSL VPNs are compliant with PCI DSS requirements, and none was found compliant with NIST guidelines. The credit card industry’s PCI DSS requirements and NIST guidelines from the US set out baseline security standards for organisation handling credit card transactions or government data.

VPNs allow users to securely access a private network and share data remotely through public networks. If you're just browsing the web, SSL VPNs offer advantages over earlier generations of IpSec VPNs because they do away with the need to install client software. Remote workers can connect to corporate SSL VPN appliances providing they have a web connection and the right login credentials. The technology commonly support 2FA for applications such as email.

Many network admins evidently still consider SSL/TLS encryption as something applicable to HTTPS protocol only, forgetting that vital Internet services such as email also rely on it.

Ilia Kolochenko, chief exec of High-Tech Bridge, commented: “Today many people still associate SSL/TLS encryption mainly with HTTPS protocol and web browsers, and seriously underestimate its usage in other protocols and internet technologies.”

High-Tech Bridge provide a free online service that allows anyone to check their SSL/TLS connection. The firm's service supports any protocols that rely on SSL encryption, so interested parties can test your web, email or VPN servers with it. ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022