Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Universities Caught With Weak SSL Security

Posted by samzenpus on from the come-on-in dept.

judgecorp writes "UK Universities have been found using weak SSL security implementations on their websites. An investigation by TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool launched by the Trustworthy Internet Movement earlier this year, which grades SSL security. Contacted by the site, most have put upgrades in place to improve security."

12 of 40 comments (clear)

  1. Denerdification of the Industry by Anonymous Coward · · Score: 5, Insightful

    In the end, Unis don't want web services to be their core business.
    Where once Sysadmins managed the web, now it is run by project managers,
    consultants, standardised, virtualised, outsourced or offshored.
    The nerds get marginalised and the job gets dumbed down.
    Quality falls, hilarity ensues. Everybody dies.

    1. Re:Denerdification of the Industry by Cryacin · · Score: 2

      Silly question. Why not make the security of the university part of a few courses? One team sets up the defensive strategy, the next team the offensive. Switch mid term.

      --
      Science advances one funeral at a time- Max Planck
  2. Bloody Hell. by VortexCortex · · Score: 5, Funny

    TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool

    All right, which of you tossers went and buggered the curve?

  3. Nice tool by oobayly · · Score: 4, Interesting

    Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.

    * Yes, I know, BEAST was published in September - I know I'm not worth my salt.

    1. Re:Nice tool by johnjones · · Score: 2

      actually it does not matter I'll just poison your DNS since they don't have DNSSEC... BEAST is the least of their worries...

      have fun now kids

    2. Re:Nice tool by jamesh · · Score: 2

      Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.

      * Yes, I know, BEAST was published in September - I know I'm not worth my salt.

      OTOH, you took your medicine and fixed things rather than try and bury the report... you get to keep your geek card for now but we will require you to return your management card.

    3. Re:Nice tool by ledow · · Score: 2

      My sites score an A, but are vulnerable to BEAST.

      The problem I have is that I'm running an up-to-date Ubuntu LTS edition that apparently is vulnerable, so there's little I can do about BEAST short of recompiling everything myself from what I see.

      But, to be honest, the SSL isn't protecting anything vital and is only really used by myself so BEAST is pretty much a non-issue.

      My SSL cert cost me $50 for 5 years, so I'm not really worried but it does put it in perspective when it comes to how easy getting an "A" can be, even when you are vulnerable to a known attack. Kinda makes their rating pretty worthless, actually.

  4. Oh noes! Weak SSL Security Settings! by Anonymous Coward · · Score: 5, Informative

    This is hilarious. "Weak SSL Security Settings" is what pentesters write to pad out their report when they run out of useful findings. Universities have the poorest computer security of any type of organisation, period. Now, there are a lot of reasons for that - one of which is the inherent conflict between running an "open" network and keeping things secure. But if "poor SSL security settings" is the worst security issue a uni has, they are doing incredibly well.

    Weak SSL security is something you exploit if a) you're a government, or b) you're screwing around with people in a coffee shop. Most of the published attacks are academic, and the only tool people regularly use is sslstrip or attacks along those lines. Hell, most users click through certificate warnings anyway.

    But hey, even though SSL is "not usually the actual problem", these things should be fixed. If you want to test your own site, head over to: https://www.ssllabs.com/ssltest/index.html and plug in your domain name. If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.

    1. Re:Oh noes! Weak SSL Security Settings! by SuricouRaven · · Score: 2

      My server is barely-configured and uses a self-signed cert for the wrong hostname. This should be good.

      Grade: F
      Score: Zero.

      I'm not going to get it signed. Have you seen how much that costs?

    2. Re:Oh noes! Weak SSL Security Settings! by Kozz · · Score: 2

      If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.

      I'm not running one, but four. Still, not a big deal. I thought I'd check it out their reporting tool which tells me:

      BEAST attack -- Vulnerable INSECURE (more info)
      Secure Renegotiation -- Not supported ACTION NEEDED (more info)
      Insecure Renegotiation -- Supported INSECURE (more info)

      That's fine and dandy. But each of the "more info" links goes to a blog posting that discusses the topic just a little bit, and only one of them provides enough information to fix it. Thankfully our sites aren't handling financial transactions of any kind, or I might have to actually locate a fix... how is everyone else fixing this (esp. the renegotiation vulnerability) if there's nothing available to remedy it except for disabling renegotiation?

      --
      I only post comments when someone on the internet is wrong.
    3. Re:Oh noes! Weak SSL Security Settings! by petermgreen · · Score: 2

      Have you seen how much that costs?

      IIRC if you only need one domain on the cert then startssl will do it for free. If you want wildcards or multiple names on the cert then you will have to pay a bit but IIRC it's not horiffically expensive.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
  5. SSL not a good fit for uni by fa2k · · Score: 2

    Doing research requires setting up a lot of one-off services, like a logbook, wiki, etc. Getting correct certificates for these things is a pain, and it's just not done. So users end up having to accept a large number of self-signed certificates, and bypass the annoying warnings in Firefox. SSL seems to have been designed for large shopping websites, while temporary and small-time web sites / services can't use it effectively. Using a self-signed certificate is much better than not encrypting data, as it prevents snooping in most cases (except for MITM attacks), so this is done. It would be good if browsers adopted a model more similar to SSH's "known_hosts", where there was a simple prompt for first-time visits to sites with unknown self-signed certificates, and the certificate was saved. They could reserve the ridiculous end-of-the-world warnings (like they show currently) for when the certificate changed unexpectedly. People should probably never use short expiry dates for self-signed certificate (unless they set up a CA)