UK Universities Caught With Weak SSL Security

← Back to Stories (view on slashdot.org)

UK Universities Caught With Weak SSL Security

Posted by samzenpus on Wednesday June 27, 2012 @09:36PM from the come-on-in dept.

judgecorp writes "UK Universities have been found using weak SSL security implementations on their websites. An investigation by TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool launched by the Trustworthy Internet Movement earlier this year, which grades SSL security. Contacted by the site, most have put upgrades in place to improve security."

40 comments

Min score:

Reason:

Sort:

Denerdification of the Industry by Anonymous Coward · 2012-06-27 22:01 · Score: 5, Insightful

In the end, Unis don't want web services to be their core business.
Where once Sysadmins managed the web, now it is run by project managers,
consultants, standardised, virtualised, outsourced or offshored.
The nerds get marginalised and the job gets dumbed down.
Quality falls, hilarity ensues. Everybody dies.
1. Re:Denerdification of the Industry by Cryacin · 2012-06-27 23:29 · Score: 2
  
  Silly question. Why not make the security of the university part of a few courses? One team sets up the defensive strategy, the next team the offensive. Switch mid term.
  
  --
  Science advances one funeral at a time- Max Planck
2. Re:Denerdification of the Industry by Anonymous Coward · 2012-06-27 23:38 · Score: 0
  
  In short, people who are totally and utterly uncompetent and ignorant, yet overpaid.
3. Re:Denerdification of the Industry by L4t3r4lu5 · 2012-06-27 23:40 · Score: 1
  
  You missed the start of War Games, right? How about Hackers?
  
  Students working on your security make for an underground market of answer sheets and grade changes.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
4. Re:Denerdification of the Industry by Anonymous Coward · 2012-06-27 23:42 · Score: 0
  
  I meant "incompetent"
5. Re:Denerdification of the Industry by Anonymous Coward · 2012-06-27 23:49 · Score: 0
  
  Start with the essential. Switch every desktop to Linux or another NIX flavor. Stop the Winbot commerce once and for all.
6. Re:Denerdification of the Industry by Anonymous Coward · 2012-06-27 23:51 · Score: 0
  
  I liked uncompetent, it's a bit like unpossible which I also like.
7. Re:Denerdification of the Industry by catmistake · 2012-06-28 03:43 · Score: 1
  
  You missed the start of War Games, right?
  The start of WarGames... let's see IIRC... Mr. Blonde nearly ended Leo McGarry because he didn't want to press the Big Red Button®... and it turned out the launch command was just an exercise, so it's a good thing Mr. McGarry had a conscience and didn't end the world, but they replaced all the silo monkeys with old blinking light props from Star Trek anyway, which set the stage for Skynet, the A.I. created by Cyberdyne Systems for SAC-NORAD, which we find out the following year regarded all humans as a threat; not just the ones on the other side, and decided our fate in a microsecond: extermination. Its too bad we didn't just let Joshua keep playing the game... Skynet wouldn't have had a chance against the WOPR.
  
  --
  The Admin and the Engineer
8. Re:Denerdification of the Industry by Anonymous Coward · 2012-06-28 06:13 · Score: 0
  
  But but but my mom and dad said geeks would become the CEOs in the future, not the jocks!
9. Re:Denerdification of the Industry by tehcyder · 2012-06-28 21:34 · Score: 1
  
  Quality falls, hilarity ensues. Everybody dies.
  That sounds like the last paragraph of a Samuel Beckett story. Good work.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
10. Re:Denerdification of the Industry by tehcyder · 2012-06-28 21:37 · Score: 1
  
  Start with the essential. Switch every desktop to Linux or another NIX flavor. Stop the Winbot commerce once and for all.
  What would that have to do with their website's security? Do you think they are running their sites off a Windows desktop machine?
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
11. Re:Denerdification of the Industry by tehcyder · 2012-06-28 21:40 · Score: 1
  
  In short, people who are totally and utterly uncompetent and ignorant, yet overpaid.
  Whereas you, of course, are absolutely competent and brilliant, yet underpaid.
  
  If it's really so easy to be "overpaid", why don't you go and do it? I'm sure you could disguise your 1337 knowledge if you tried.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
12. Re:Denerdification of the Industry by L4t3r4lu5 · 2012-06-29 01:51 · Score: 1
  
  +1 Pedantry to you, Sir.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
Bloody Hell. by VortexCortex · 2012-06-27 22:35 · Score: 5, Funny

TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool
All right, which of you tossers went and buggered the curve?
Nice tool by oobayly · 2012-06-27 22:38 · Score: 4, Interesting

Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.
* Yes, I know, BEAST was published in September - I know I'm not worth my salt.
1. Re:Nice tool by johnjones · 2012-06-27 23:52 · Score: 2
  
  actually it does not matter I'll just poison your DNS since they don't have DNSSEC... BEAST is the least of their worries...
  have fun now kids
2. Re:Nice tool by jamesh · 2012-06-28 00:12 · Score: 2
  
  Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.
  * Yes, I know, BEAST was published in September - I know I'm not worth my salt.
  OTOH, you took your medicine and fixed things rather than try and bury the report... you get to keep your geek card for now but we will require you to return your management card.
3. Re:Nice tool by ledow · 2012-06-28 00:23 · Score: 2
  
  My sites score an A, but are vulnerable to BEAST.
  The problem I have is that I'm running an up-to-date Ubuntu LTS edition that apparently is vulnerable, so there's little I can do about BEAST short of recompiling everything myself from what I see.
  But, to be honest, the SSL isn't protecting anything vital and is only really used by myself so BEAST is pretty much a non-issue.
  My SSL cert cost me $50 for 5 years, so I'm not really worried but it does put it in perspective when it comes to how easy getting an "A" can be, even when you are vulnerable to a known attack. Kinda makes their rating pretty worthless, actually.
4. Re:Nice tool by Thing+I+am · 2012-06-28 00:38 · Score: 1
  
  You don't need to recompile anything. Just modified your Apache config to turn on SSLHonorCipherOrder and select which ciphersuites to use. SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL
  
  --
  That sucking sound you hear is my bandwidth.
5. Re:Nice tool by heypete · 2012-06-28 00:44 · Score: 1
  
  Doesn't pretty much every modern browser support client-side workarounds that prevent BEAST? I know OpenSSL's supported it for years.
  I suspect that the "vulnerable to BEAST" issues will disappear once OpenSSL releases (and the various distros distribute) a version that supports TLS 1.1 and 1.2, neither of which are vulnerable.
6. Re:Nice tool by oobayly · 2012-06-28 00:48 · Score: 1
  
  As has been mentioned, no recompiling is necessary:
  https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls
7. Re:Nice tool by tehcyder · 2012-06-28 21:42 · Score: 1
  
  SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL
  That's easy for you to say.
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
Oh noes! Weak SSL Security Settings! by Anonymous Coward · 2012-06-27 23:05 · Score: 5, Informative

This is hilarious. "Weak SSL Security Settings" is what pentesters write to pad out their report when they run out of useful findings. Universities have the poorest computer security of any type of organisation, period. Now, there are a lot of reasons for that - one of which is the inherent conflict between running an "open" network and keeping things secure. But if "poor SSL security settings" is the worst security issue a uni has, they are doing incredibly well.
Weak SSL security is something you exploit if a) you're a government, or b) you're screwing around with people in a coffee shop. Most of the published attacks are academic, and the only tool people regularly use is sslstrip or attacks along those lines. Hell, most users click through certificate warnings anyway.
But hey, even though SSL is "not usually the actual problem", these things should be fixed. If you want to test your own site, head over to: https://www.ssllabs.com/ssltest/index.html and plug in your domain name. If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.
1. Re:Oh noes! Weak SSL Security Settings! by SuricouRaven · 2012-06-27 23:32 · Score: 2
  
  My server is barely-configured and uses a self-signed cert for the wrong hostname. This should be good.
  
  Grade: F
  Score: Zero.
  
  I'm not going to get it signed. Have you seen how much that costs?
2. Re:Oh noes! Weak SSL Security Settings! by piripiri · 2012-06-27 23:44 · Score: 1
  
  Have you seen how much that costs?
  StartSSL provides class 1 certificates at no cost!
3. Re:Oh noes! Weak SSL Security Settings! by KiloByte · 2012-06-27 23:51 · Score: 1
  
  That's because of the VeriSign/Thawte racket. They charge money for no work. According to SSL design, any certificate is supposed to undergo more checking that they currently do for EV certs. Since the CAs are not going to actually do the checking, it is time to move to DNSSEC-based signatures, which are strictly better than the present state. Even if the CAs themselves would be perfectly secure, they sell certificates to anyone who can read mail sent to the given domain, and if you can set DNSSEC, you can set a MX just as well. So the current state of SSL is nothing but a money grab.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
4. Re:Oh noes! Weak SSL Security Settings! by JasterBobaMereel · 2012-06-28 00:13 · Score: 1
  
  These are open websites, no confidential information, it is just a public facing system
  Like people "hacking the FBI" it is meaningless to have access to a website that only provides information, you already have the information before you hacked it ...
  This is security company scanning websites that don't care and finding they are "insecure" according to their own tool ... ...most of these tools have scary warnings that a system is insecure "in flashing bright red letters" for very minor and largely irrelevant issues
  
  --
  Puteulanus fenestra mortis
5. Re:Oh noes! Weak SSL Security Settings! by Anonymous Coward · 2012-06-28 00:22 · Score: 0
  
  It's a shame that their test claims "BEAST vulnerable" and then links to a page with recommendations that, when implemented, still leave your site "BEAST vulnerable" (according to them anyway).
  Huh?
6. Re:Oh noes! Weak SSL Security Settings! by ledow · 2012-06-28 00:29 · Score: 1
  
  I got a 5-year cert from GoDaddy for $50. It's really not that much if you've bothered to have an SSL port exposed to the world. It scores "A" on that site and doesn't produce any kind of cert warning in any browser that I know of (and Opera is particularly fussy about SSL certs).
  Beyond that, a number of SSL suppliers give out free certs now for the lower end (not saying you'd score "A" but they probably wouldn't error out in most browsers and would give you a basic "padlock").
  Just watch out. There are some companies (like my server host) trying to charge me Â£89 a year for something that I can get for $50 for 5 years. Just shop around, there's lots of cheap certs to be had and because it's a standard and they are signed by pretty much the same entities in the end, if it passes the browser tests, it's the same no matter what you paid for it.
  Oh, and steer clear of EV certs. What a scam. You won't find a cheap one of those at all.
7. Re:Oh noes! Weak SSL Security Settings! by Kozz · 2012-06-28 00:33 · Score: 2
  
  If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.
  I'm not running one, but four. Still, not a big deal. I thought I'd check it out their reporting tool which tells me:
  
  BEAST attack -- Vulnerable INSECURE (more info)
  Secure Renegotiation -- Not supported ACTION NEEDED (more info)
  Insecure Renegotiation -- Supported INSECURE (more info)
  That's fine and dandy. But each of the "more info" links goes to a blog posting that discusses the topic just a little bit, and only one of them provides enough information to fix it. Thankfully our sites aren't handling financial transactions of any kind, or I might have to actually locate a fix... how is everyone else fixing this (esp. the renegotiation vulnerability) if there's nothing available to remedy it except for disabling renegotiation?
  
  --
  I only post comments when someone on the internet is wrong.
8. Re:Oh noes! Weak SSL Security Settings! by Enry · 2012-06-28 00:35 · Score: 1
  
  If I read the page correctly, it reduces the vulnerability to BEAST with the problem being that the full fix is on the client side.
9. Re:Oh noes! Weak SSL Security Settings! by jonwil · 2012-06-28 00:56 · Score: 1
  
  The bad thing is how many important SSL sites (banks and others) get a fail in various areas of the SSL test.
  The SSL for my banks internet banking site fails both the "secure renegotiation" and "insecure renegotiation". Not that the other Australian banks are any better...
10. Re:Oh noes! Weak SSL Security Settings! by thoughtsatthemoment · 2012-06-28 01:05 · Score: 1
  
  What's the reason for the feature of renegotiation? Why not just timeout and re-connect?
11. Re:Oh noes! Weak SSL Security Settings! by Anonymous Coward · 2012-06-28 01:17 · Score: 0
  
  One example: suppose you've got a web site, some of which is public and some of which requires a client certificate. When you visit the private part the server will renegotiate the security to request the client certificate. This happens seamlessly. Without renegotiation, the request would fail and HTTP doesn't have a status code that would make the client retry the request on a new connection.
12. Re:Oh noes! Weak SSL Security Settings! by petermgreen · 2012-06-28 02:00 · Score: 2
  
  Have you seen how much that costs?
  IIRC if you only need one domain on the cert then startssl will do it for free. If you want wildcards or multiple names on the cert then you will have to pay a bit but IIRC it's not horiffically expensive.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
13. Re:Oh noes! Weak SSL Security Settings! by AliasMarlowe · 2012-06-28 03:06 · Score: 1
  
  Have you seen how much that costs?
  StartSSL provides class 1 certificates at no cost!
  Which might be way beyond GP's budget. Anyway, StartSSL's server appears to be down (slashdotted?).
  
  --
  Those who can make you believe absurdities can make you commit atrocities. - Voltaire
14. Re:Oh noes! Weak SSL Security Settings! by Anonymous Coward · 2012-06-28 04:13 · Score: 0
  
  You can get a 5 year cert for $29.95: http://www.cheapssls.com/index.php?dispatch=products.view&product_id=3 or a 5 year wildcard for $389.95: http://www.cheapssls.com/comodo-ssl-certificates/positivessl-wildcard.html
SSL not a good fit for uni by fa2k · 2012-06-28 01:05 · Score: 2

Doing research requires setting up a lot of one-off services, like a logbook, wiki, etc. Getting correct certificates for these things is a pain, and it's just not done. So users end up having to accept a large number of self-signed certificates, and bypass the annoying warnings in Firefox. SSL seems to have been designed for large shopping websites, while temporary and small-time web sites / services can't use it effectively. Using a self-signed certificate is much better than not encrypting data, as it prevents snooping in most cases (except for MITM attacks), so this is done. It would be good if browsers adopted a model more similar to SSH's "known_hosts", where there was a simple prompt for first-time visits to sites with unknown self-signed certificates, and the certificate was saved. They could reserve the ridiculous end-of-the-world warnings (like they show currently) for when the certificate changed unexpectedly. People should probably never use short expiry dates for self-signed certificate (unless they set up a CA)
Tip of the iceberg... by Anonymous Coward · 2012-06-28 02:15 · Score: 1

Unfortunately that's not the end of it. I recently found out my alma mater uses software to manage the alumni records from a company called Blackbaud. The software includes a website that alumni can use to keep the university up to date with their contact details, find out about events and hunt down old classmates. The engineers at Blackbaud in their infinite wisdom chose to store passwords in a recoverable format. I nearly flipped when I did a password recovery a few weeks back and was sent my actual password... in plaintext.
I contacted the university and after a long wait, during which the linkedin password leak occurred, I got the answer of "we use this software, there's nothing we can do about it".