Slashdot Mirror

← Back to Stories (view on slashdot.org)

90% of All SSL VPNs Use Insecure Or Outdated Encryption

Posted by yaelk on from the is-your-browser-secure dept.

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.

10 of 67 comments (clear)

  1. Pot calls kettle black by Anonymous Coward · · Score: 5, Funny

    Says the site that doesn't have SSL support.

    1. Re:Pot calls kettle black by skegg · · Score: 4, Informative

      >> SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties

      Another benefit of SSL-done-right:
      preventing a third-party from injecting additional content -- e.g. a dangerous payload -- into the stream.

      It may not even be a malicious payload. Perhaps just commercial

  2. Literally any VPN is better than no VPN by Anonymous Coward · · Score: 4, Insightful

    Even a bad VPN is like WEP encryption on your wireless: It stops people from just reading your traffic without effort, prevents businesses from manipulating your traffic as it passes through their networks, and makes any attempt to do either a crime.

    1. Re:Literally any VPN is better than no VPN by Anonymous Coward · · Score: 2, Informative

      I use a VPN service, and even if it were relatively breakable, it forces an attacker to be actively attacking the connection. Passive sifting is blocked, which is what I aim for. I use a VPN service for several reasons:

      1: So the local link doesn't have access to all traffic. Some ISPs used to stick identifying headers into every web page request via active MITM. With a VPN, this is blocked.

      2: Crap like Phorm is blocked, so in-flight ads and possibly malvertising is stopped cold.

      3: Passive filtering for headers is nullified.

      4: Block geolocaters. They can use timing attacks to guess, but it does help obfuscate things.

      It may not stop a determined snoop, but like a decent lock, it keeps the amateurs at bay.

    2. Re:Literally any VPN is better than no VPN by vux984 · · Score: 2

      There are 2 parts to this; and I'm not sure which applies, or perhaps both:

        If 90% number applies only to VPN Proxy services for the purposes you mention; to simply give you 1 hop bridge past whatever nonsense your ISP is doing and to cheese off advertisers and region restricting geolocates and so forth that's one thing.

      But

      If if the 90% number also includes actual SSL VPNs protecting remote access to private networks, (or perhaps SSL VPN remote access to YOUR network), that's pretty horrifying.

  3. Untrusted certs by rtkluttz · · Score: 4, Insightful

    I'm not sure he is talking about what I think he is talking about with untrusted certs. Self signed certs are MORE secure as long as the party at both ends understands the process. You simply cannot have a true secret when there is a 3rd party. Certificate authorities are only there to make the process acceptably easy for those who don't know what is going on.

    --
    Digital is, by definition, imperfect. Analog is the way to go.
    1. Re: Untrusted certs by JourneymanMereel · · Score: 4, Informative

      I'm pretty sure that my SSL VPN would not be included in this survey as we don't publish it and only give the URL to those that need it... But if it were, it would be in this insecure category because of an untrusted certificate. Except it's not. The certificate is signed using our internal CA which is trusted on all company computers. We don't want people connecting using their personal computers so I'm not at all concerned with putting a globally trusted cert on it. Other than that, it is secure. We don't use SHA1, we do use TLS rather than SSL, and we use FS. So while they would call it a fail, I would not.

      --
      Life has many choices. Eternity has two. What's yours?
  4. isn't this by design? by known_coward_69 · · Score: 2

    I mean how else are no name companies supposed to sell you bandwidth for $5 or $10 a month unless they are mining your data?

  5. Most machines running VPNs by ls671 · · Score: 2

    Most machines running VPNs haven't updated their SSL libraries could be more precise. Maybe some VPNs bundle their own SSL libraries within their product but in that case, it would make more sense if they used the system wide libraries.

    Example, you don't need to update OpenVPN, only the SSL libraries:

    https://community.openvpn.net/...

    --
    Everything I write is lies, read between the lines.
  6. Re: Is there a rankings site? by man+bash · · Score: 4, Informative

    The Qualys SSL labs site is pretty useful: https://www.ssllabs.com/