90% of SSL VPNs are ‘hopelessly insecure’, say researchers
Computer says "...oh"
Nine in 10 SSL VPNs use insecure or outdated encryption, putting corporate data at risk in the process, according to new research.
High-Tech Bridge (HTB) conducted large-scale Internet research on live and publicly-accessible SSL VPN servers. The firm passively scanned 10,436 randomly selected publicly available SSL VPN servers (taken from a scope of four million randomly selected IPv4 addresses) from the largest vendors, such as Cisco, Fortinet and Dell.
The scan uncovered numerous problems, as summarised below:
- Three in four (77 per cent) of tested SSL VPNs still use the obsolete SSLv3 protocol, which was forged way back back in 1996. About a hundred have SSLv2. Both have been subject to numerous vulnerabilities and weaknesses over the years and neither is considered safe.
- Three in four (76 per cent) of tested SSL VPNS use an untrusted SSL certificate, opening the door to potential man-in-the-middle attacks. Hackers might be able to set up a counterfeit server impersonating the real deal before harvesting data sent over a supposedly allegedly “secure” VPN connection. Usage by corporates of default pre-installed certificate from the vendor is the main cause of this problem in practice, according to HTB.
- A similar 74 per cent of certificates have an insecure SHA-1 signature, while five per cent make use of even older MD5 technology. By 1 January 2017, the majority of web browsers plan to deprecate and stop accepting SHA-1 signed certificates, since the ageing technology is no strong enough to withstand potential attacks.
- Around 41 per cent of SSL VPNs use insecure 1024-bit keys for their RSA certificates. RSA certificate is used for authentication and encryption key exchange. RSA key lengths below 2048 are considered insecure because they open the door to attacks, some based on advances in code breaking and crypto-analysis.
- One in 10 of SSL VPN servers that rely on OpenSSL (e.g. Fortinet), are still vulnerable to Heartbleed. The infamous Heartbleed vulnerability, discovered in April 2014, affected all products using or relying on OpenSSL, creating a straightforward way for hackers to extract sensitive data such as encryption keys and more from the memory of unmatched systems.
- Only three per cent of scanned SSL VPNs are compliant with PCI DSS requirements, and none was found compliant with NIST guidelines. The credit card industry’s PCI DSS requirements and NIST guidelines from the US set out baseline security standards for organisation handling credit card transactions or government data.
VPNs allow users to securely access a private network and share data remotely through public networks. If you're just browsing the web, SSL VPNs offer advantages over earlier generations of IpSec VPNs because they do away with the need to install client software. Remote workers can connect to corporate SSL VPN appliances providing they have a web connection and the right login credentials. The technology commonly support 2FA for applications such as email.
Many network admins evidently still consider SSL/TLS encryption as something applicable to HTTPS protocol only, forgetting that vital Internet services such as email also rely on it.
Ilia Kolochenko, chief exec of High-Tech Bridge, commented: “Today many people still associate SSL/TLS encryption mainly with HTTPS protocol and web browsers, and seriously underestimate its usage in other protocols and internet technologies.”
High-Tech Bridge provide a free online service that allows anyone to check their SSL/TLS connection. The firm's service supports any protocols that rely on SSL encryption, so interested parties can test your web, email or VPN servers with it. ®