Slashdot Mirror

← Back to Stories (view on slashdot.org)

90% of All SSL VPNs Use Insecure Or Outdated Encryption

Posted by yaelk on from the is-your-browser-secure dept.

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.

3 of 67 comments (clear)

  1. Re: Untrusted certs by JourneymanMereel · · Score: 4, Informative

    I'm pretty sure that my SSL VPN would not be included in this survey as we don't publish it and only give the URL to those that need it... But if it were, it would be in this insecure category because of an untrusted certificate. Except it's not. The certificate is signed using our internal CA which is trusted on all company computers. We don't want people connecting using their personal computers so I'm not at all concerned with putting a globally trusted cert on it. Other than that, it is secure. We don't use SHA1, we do use TLS rather than SSL, and we use FS. So while they would call it a fail, I would not.

    --
    Life has many choices. Eternity has two. What's yours?
  2. Re: Is there a rankings site? by man+bash · · Score: 4, Informative

    The Qualys SSL labs site is pretty useful: https://www.ssllabs.com/

  3. Re:Pot calls kettle black by skegg · · Score: 4, Informative

    >> SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties

    Another benefit of SSL-done-right:
    preventing a third-party from injecting additional content -- e.g. a dangerous payload -- into the stream.

    It may not even be a malicious payload. Perhaps just commercial