Slashdot Mirror

← Back to Stories (view on slashdot.org)

90% of All SSL VPNs Use Insecure Or Outdated Encryption

Posted by yaelk on from the is-your-browser-secure dept.

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.

4 of 67 comments (clear)

  1. Re: Untrusted certs by JourneymanMereel · · Score: 4, Informative

    I'm pretty sure that my SSL VPN would not be included in this survey as we don't publish it and only give the URL to those that need it... But if it were, it would be in this insecure category because of an untrusted certificate. Except it's not. The certificate is signed using our internal CA which is trusted on all company computers. We don't want people connecting using their personal computers so I'm not at all concerned with putting a globally trusted cert on it. Other than that, it is secure. We don't use SHA1, we do use TLS rather than SSL, and we use FS. So while they would call it a fail, I would not.

    --
    Life has many choices. Eternity has two. What's yours?
  2. Re: Is there a rankings site? by man+bash · · Score: 4, Informative

    The Qualys SSL labs site is pretty useful: https://www.ssllabs.com/

  3. Re:Literally any VPN is better than no VPN by Anonymous Coward · · Score: 2, Informative

    I use a VPN service, and even if it were relatively breakable, it forces an attacker to be actively attacking the connection. Passive sifting is blocked, which is what I aim for. I use a VPN service for several reasons:

    1: So the local link doesn't have access to all traffic. Some ISPs used to stick identifying headers into every web page request via active MITM. With a VPN, this is blocked.

    2: Crap like Phorm is blocked, so in-flight ads and possibly malvertising is stopped cold.

    3: Passive filtering for headers is nullified.

    4: Block geolocaters. They can use timing attacks to guess, but it does help obfuscate things.

    It may not stop a determined snoop, but like a decent lock, it keeps the amateurs at bay.

  4. Re:Pot calls kettle black by skegg · · Score: 4, Informative

    >> SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties

    Another benefit of SSL-done-right:
    preventing a third-party from injecting additional content -- e.g. a dangerous payload -- into the stream.

    It may not even be a malicious payload. Perhaps just commercial