Slashdot Mirror

← Back to Stories (view on slashdot.org)

90% of All SSL VPNs Use Insecure Or Outdated Encryption

Posted by yaelk on from the is-your-browser-secure dept.

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.

44 of 67 comments (clear)

  1. Pot calls kettle black by Anonymous Coward · · Score: 5, Funny

    Says the site that doesn't have SSL support.

    1. Re:Pot calls kettle black by Opportunist · · Score: 1

      RTFA, it's useless anyway 'cause everyone uses outdated ciphers.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Pot calls kettle black by Anonymous Coward · · Score: 1

      That's as stupid as saying just because people can pick locks that locks are useless. SSL (even with outdated shitty ciphers) is still better than nothing as it prevents all hosts of casual attacks.

    3. Re:Pot calls kettle black by AchilleTalon · · Score: 1
      I don't see your point here. This site, I suppose you are talking about news.softpedia.com here, is an informational site only. There is no need to encrypt communication between your browser and this site. You do not exchange credentials and/or password and/or any confidential information. In case you haven't notice. SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties. I don't see any usage for this here.

      SSL doesn't prevent hosts from casual attacks. You can use SSL/TLS all the way and still have all your hosts vulnerable to casual attacks.

      --
      Achille Talon
      Hop!
    4. Re:Pot calls kettle black by skegg · · Score: 4, Informative

      >> SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties

      Another benefit of SSL-done-right:
      preventing a third-party from injecting additional content -- e.g. a dangerous payload -- into the stream.

      It may not even be a malicious payload. Perhaps just commercial

    5. Re:Pot calls kettle black by dcollins117 · · Score: 1

      ...There is no need to encrypt communication between your browser and this site... In case you haven't notice. SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties.

      Those sound to me like very good reasons for using encryption regardless of whether it is "needed" or not. If i always use encryption, then I don't have to think about when to switch it on and off. It's always on.

      I don't think anyone thinks it will prevent a targeted attack, but it does keep my ISP from sending me emails regarding all the Scooby Doo parady porn someone keeps downloading using my account.

    6. Re:Pot calls kettle black by Anonymous Coward · · Score: 1

      There is one advantage in running TLS (HTTPS) for an information site like Slashdot, it makes it vastly harder for an ISP to inject ad content onto the page.

    7. Re:Pot calls kettle black by Bengie · · Score: 1

      SSL with outdated ciphers can leak your private keys. Sometimes something is worse than nothing.

  2. Is there a rankings site? by AbRASiON · · Score: 1

    or a guide which defines what the best ones are? Many Australians will want to know in the coming 12 months.

    1. Re: Is there a rankings site? by man+bash · · Score: 4, Informative

      The Qualys SSL labs site is pretty useful: https://www.ssllabs.com/

  3. Literally any VPN is better than no VPN by Anonymous Coward · · Score: 4, Insightful

    Even a bad VPN is like WEP encryption on your wireless: It stops people from just reading your traffic without effort, prevents businesses from manipulating your traffic as it passes through their networks, and makes any attempt to do either a crime.

    1. Re:Literally any VPN is better than no VPN by TWX · · Score: 1

      WEP does not prevent people from reading traffic. WEP is broken to the point that it can be decrypted with a userland program that merely has to be run. It's harder to actually capture network traffic than it is to break WEP.

      Otherwise I would agree, provisionally, with your statement. Making the traffic hard to view is normally good enough for the vast majority of cases, it doesn't hve to be impossible to view. The problem though, like the aforementioned WEP example, is when the tools to break that weak encryption become automated user processes that don't even need technical expertise. It's one thing if someone has to fire-up a bunch of cloud-hosted virtual machines or has to build a significant box full of GPUs to break a password after several weeks or months of effort, but if their tablet or smartphone can run software that exploits a fundamental flaw in the encryption itself such then clearly weak encryption is not useful.

      --
      Do not look into laser with remaining eye.
    2. Re:Literally any VPN is better than no VPN by Anonymous Coward · · Score: 2, Informative

      I use a VPN service, and even if it were relatively breakable, it forces an attacker to be actively attacking the connection. Passive sifting is blocked, which is what I aim for. I use a VPN service for several reasons:

      1: So the local link doesn't have access to all traffic. Some ISPs used to stick identifying headers into every web page request via active MITM. With a VPN, this is blocked.

      2: Crap like Phorm is blocked, so in-flight ads and possibly malvertising is stopped cold.

      3: Passive filtering for headers is nullified.

      4: Block geolocaters. They can use timing attacks to guess, but it does help obfuscate things.

      It may not stop a determined snoop, but like a decent lock, it keeps the amateurs at bay.

    3. Re:Literally any VPN is better than no VPN by Aighearach · · Score: 1

      This is exactly the reason I use a VPN at work for "everything" not customer-facing. I don't really care if a sophisticated attacker could get in; I have backups and would never pay anybody for that data. I'm more worried about casual access, and confidential business data ending up in web caches or other databases.

      Doesn't mean I leave things less secure than practicable, it just means that I don't get snooty about having it locked down well. The important thing is having it locked down at all!

      Heck, my car isn't entirely locked down either; a professional could break in a few seconds. If my car got stolen it would cause me more grief than if my webservers got p0wned; I can't just re-install my car the same day.

    4. Re:Literally any VPN is better than no VPN by vux984 · · Score: 2

      There are 2 parts to this; and I'm not sure which applies, or perhaps both:

        If 90% number applies only to VPN Proxy services for the purposes you mention; to simply give you 1 hop bridge past whatever nonsense your ISP is doing and to cheese off advertisers and region restricting geolocates and so forth that's one thing.

      But

      If if the 90% number also includes actual SSL VPNs protecting remote access to private networks, (or perhaps SSL VPN remote access to YOUR network), that's pretty horrifying.

    5. Re:Literally any VPN is better than no VPN by TWX · · Score: 1

      My point is that the effort to read WEP traffic is almost nil. The effort to capture packets and interpret them is greater.

      Or to put it another way, if they're coming equipped to capture your traffic, WEP is absolutely no barrier whatsoever.

      --
      Do not look into laser with remaining eye.
    6. Re:Literally any VPN is better than no VPN by Bengie · · Score: 1

      His point was you can't even get out of bed without effort. The barrier to entry to crack WEP is with the same difficulty of installing Chrome and even less difficulty than installing Wireshark. That's their point. I have not even tried to research this topic other than "it's easy" according to researchers.

    7. Re:Literally any VPN is better than no VPN by thegarbz · · Score: 1

      The anonymous GP has a point none the less. You can capture and break WEP, but you can't read the traffic "inadvertently". Now you have intent on your side of the law.

  4. Untrusted certs by rtkluttz · · Score: 4, Insightful

    I'm not sure he is talking about what I think he is talking about with untrusted certs. Self signed certs are MORE secure as long as the party at both ends understands the process. You simply cannot have a true secret when there is a 3rd party. Certificate authorities are only there to make the process acceptably easy for those who don't know what is going on.

    --
    Digital is, by definition, imperfect. Analog is the way to go.
    1. Re: Untrusted certs by JourneymanMereel · · Score: 4, Informative

      I'm pretty sure that my SSL VPN would not be included in this survey as we don't publish it and only give the URL to those that need it... But if it were, it would be in this insecure category because of an untrusted certificate. Except it's not. The certificate is signed using our internal CA which is trusted on all company computers. We don't want people connecting using their personal computers so I'm not at all concerned with putting a globally trusted cert on it. Other than that, it is secure. We don't use SHA1, we do use TLS rather than SSL, and we use FS. So while they would call it a fail, I would not.

      --
      Life has many choices. Eternity has two. What's yours?
    2. Re:Untrusted certs by xxxJonBoyxxx · · Score: 1

      >> I'm not sure he is talking about what I think he is talking about with untrusted certs

      I had that impression too. When I've used VPNs with certs, it's been in situations where mutual authentication of specific certificates was used - no CAs necessary. Anyone who's used client keys with SSH or even just PGP would be familiar with the situation.

    3. Re:Untrusted certs by Aighearach · · Score: 1, Offtopic

      Never click the story. This is slashdot.

      Instead, research the subject independently and come back here to discuss things more interesting than whatever vapid shit the story went on and on about.

    4. Re:Untrusted certs by khasim · · Score: 1

      I'm pretty sure that the journalist who wrote this did not understand the material. From TFA:

      High-Tech Bridge experts say that most of these untrusted certificates are because many SSL VPNs come with default pre-installed certificates that are rarely updated.

      The rarely updated part can be bad. Particularly if we're talking about SSL2 and so on.

      But unless the vendor is using the same certificate on all the boxes they sell, I'm not seeing a big problem.

    5. Re:Untrusted certs by vidarlo · · Score: 1

      I'm not sure he is talking about what I think he is talking about with untrusted certs. Self signed certs are MORE secure as long as the party at both ends understands the process. You simply cannot have a true secret when there is a 3rd party. Certificate authorities are only there to make the process acceptably easy for those who don't know what is going on.

      You don't give your certificate to a third party by getting a signed certificate. You generate a signing request, which contains a check sum of your certificate and the details of the certificate. Then your upstream CA signs this signing request.

      The private part of the certificate never leaves your computer. Clearly you do not have the faintest idea how the SSL protocol works

      --
      Assembling etherkillers for fun an profit
    6. Re:Untrusted certs by Fnord666 · · Score: 1

      Self signed certs are MORE secure as long as the party at both ends understands the process.

      I'm not sure how that can be since all root certs are simply self signed certs. There's just the ones that someone else has told us to trust such as the ones that come by default in your browser, and the ones that you deliberately choose to trust. There's also nothing that says you can't delete any "trusted" certs that you choose not to trust.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  5. isn't this by design? by known_coward_69 · · Score: 2

    I mean how else are no name companies supposed to sell you bandwidth for $5 or $10 a month unless they are mining your data?

    1. Re:isn't this by design? by sims+2 · · Score: 1

      You mean like how verizon wireless charges up to $15/GB and embeds a tracking cookie in your web traffic by default?

      --
      Minimum threshold fixed. Thanks!
    2. Re:isn't this by design? by known_coward_69 · · Score: 1

      yeah, but hardware costs money along with paying people to run the business. 10,000 customers may give you $100,000 of revenue a month at most but there will be a lot of bills to pay

    3. Re:isn't this by design? by known_coward_69 · · Score: 1

      a lot of those towers cost a lot of money to operate, even when not in use. rent, power, etc. lots of expenses not related to bandwidth. so you are paying for a lot of infrastructure that may be used maybe 40 hours a week at most

    4. Re:isn't this by design? by sims+2 · · Score: 1

      Just to be clear are you saying VZW is injecting tracking information in my traffic to save me money?

      --
      Minimum threshold fixed. Thanks!
    5. Re: isn't this by design? by guruevi · · Score: 1

      Most of those expenses have been offloaded to the localities. It would be a LOT more expensive to have a cell phone if they all had to pay their fair share in physical space, taxes, spectrum and energy but most of that is subsidized. The real savings would come if they were actually forced to share the stuff the government gave them through your tax money.

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  6. Most machines running VPNs by ls671 · · Score: 2

    Most machines running VPNs haven't updated their SSL libraries could be more precise. Maybe some VPNs bundle their own SSL libraries within their product but in that case, it would make more sense if they used the system wide libraries.

    Example, you don't need to update OpenVPN, only the SSL libraries:

    https://community.openvpn.net/...

    --
    Everything I write is lies, read between the lines.
    1. Re:Most machines running VPNs by Burz · · Score: 1

      Problem is, their test site doesn't seem to recognize openvpn... claims these sites don't use openvpn.

      It may also be possible that -- since the PIA domains I gave it likely support protocols other than openvpn -- their tool saw something else on another port and stopped concluded "SSL/TLS not supported".

      So far, it seems like a junk study to me which is too bad.... I would have liked some accurate feedback about VPN services I'm interested in (including the service that /. is pushing).

    2. Re:Most machines running VPNs by Burz · · Score: 1

      Correction: "... claims these sites don't support TLS." Sorry.

    3. Re:Most machines running VPNs by ls671 · · Score: 1

      You just create your own CA cert and you use it to sign the other certs. So you are your own CA. Very accessible to mere mortals... ;-)

      As always, you need to put your CA cert and the signing machine in a safe, without internet connection. I am only half kidding here. The CA cert is not required to run openvpn, only to sign certs.

      https://openvpn.net/index.php/...

      --
      Everything I write is lies, read between the lines.
  7. Re:Surely not the ones for sale below? by stephenmac7 · · Score: 1

    I did buy one of those, because I don't have the money to pay for a nice VPN, but also know that any VPN is better than no VPN (as mentioned above).

    --
    "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
  8. Uh, just what are they talking about?? by Burz · · Score: 1

    I'm typing VPN domains into their testing tool and its telling me "This site doesn't support SSL/TLS".

    Last time I checked, most VPNs based on openvpn use TLS, like the ones I tried. My VPN config for privateinternetaccess.com requires "tls-client" directive and it uses a certificate to validate the server.

    So I don't know what this article is talking about. If openvpn (which uses TLS) is too 'different' a protocol for their tools to examine, then there is something very wrong with the study its based on.

  9. Re:Dumb; VPN providers != security from government by Anonymous Coward · · Score: 1

    Hard to read you as an authority on the matter when "for all intents and purposes" is glaringly wrong ...

  10. Re:Surely not the ones for sale below? by Traksius+Egas · · Score: 1

    because I don't have the money to pay for a nice VPN

    Not sure how much money you have but I highly recommend CryptoStorm. Very inexpensive, plenty of payment options, and they even have a free, limited to 128kbps, option you can use if you can't afford the higher. Read about their unique token-based authentication that separates the user account/payment information from the company.

  11. Six quarter? by thsths · · Score: 1

    So 3/4 are insecure one way, "another" 3/4 are insecure another way.

    And the remaining -50% are fine?

    1. Re:Six quarter? by Lunix+Nutcase · · Score: 1

      Both groups do not have to be mutually exclusive. Never seen Venn Diagrams before where two groups have overlaps between each other?

    2. Re:Six quarter? by Desler · · Score: 1

      Yes, it's called a union of two sets.

  12. Security services by AHuxley · · Score: 1

    VPNs not mentioned once in UK’s terrifying new internet powers draft bill (4 Nov 2015)
    https://thestack.com/security/...
    ".. force UK ISPs to keep an Internet Connection Record (now jargonised into ‘ICR’) for the previous 12 months for all of its customers, and also for the fact that it begins to deliver on prime minister David Cameron’s frequently-aired misgivings about zero-knowledge consumer-level encryption ... "

    Why the disinterest in VPN's when all other network encryption will be under total gov and mil scrutiny until weakened, designed with a gov backdoor, trapdoored or keys are handed over?

    --
    Domestic spying is now "Benign Information Gathering"
  13. Re:Snake oil runs security business by Bengie · · Score: 1

    SHA1 is no longer considered secure is should be immediately moved off of. It's not MD5 bad, but there have been proofs of concepts and theoretical attacks that are claiming to be able to break any key for a $250k of cloud compute time.