Most SSL VPNs are Wildly Insecure

Most SSL VPNs are Wildly Insecure

VPNs are a time-worn fixture of the enterprise landscape, allowing users to securely access a private network and share data remotely through public networks. Unfortunately, they’re also often full of security issues, like the fact that 77% of tested SSL VPNs still use the insecure SSLv3 protocol.

High-Tech Bridge conducted large-scale Internet research on live and publicly-accessible SSL VPN servers, and found that in addition, only about a hundred of the tested servers have SSLv2.

“SSLv3 protocol was created in early 1996,” explained the firm in its report. “Today, its failings are recognized and it’s not recommended, with the majority of international and national security standards and compliance norms, such PCI DSS or NIST SP 800-52, prohibiting its usage due to numerous vulnerabilities and weaknesses discovered in it over the years.”

About three-quarters (76%) of tested SSL VPNS also use an untrusted SSL certificate. An untrusted certificate allows a remote attacker to impersonate the VPN server, perform man-in-the-middle attacks, and intercept all the data, including files, emails and passwords the user passes over the allegedly “secure” VPN connection. The largest risk observed was due to usage of default pre-installed certificates from the vendors.

The bad news doesn’t end there: 74% of certificates have an insecure SHA-1 signature, despite the fact that the majority of web browsers plan to depreciate and stop accepting SHA-1 signed certificates, as the algorithm’s weaknesses can potentially allow an SSL certificate to be forged, impersonating a server and intercepting critical data.

About 41% of SSL VPNs use insecure 1024 key length for their RSA certificates, which are used for authentication and encryption key exchange. RSA key length below 2048 is considered insecure, allowing various attacks.

10% of SSL VPN servers that rely on OpenSSL are still vulnerable to Heartbleed. And, only 3% are compliant with PCI DSS requirements, and none is compliant with NIST guidelines, which are considered a minimum required level of security.

Overall, less than 3% of tested SSL VPNs got the highest “A” grade for security, while almost 86% got the lowest failing “F” grade.

“Today many people still associate SSL/TLS encryption mainly with HTTPS protocol and web browsers, and seriously underestimate its usage in other protocols and Internet technologies,” said Ilia Kolochenko, CEO of High-Tech Bridge. “A lot of things can be done to improve reliability and security of SSL VPNs.”

Photo © kubais

Source: Information Security Magazine