Slashdot Mirror

← Back to Stories (view on slashdot.org)

90% of All SSL VPNs Use Insecure Or Outdated Encryption

Posted by yaelk on from the is-your-browser-secure dept.

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.

6 of 67 comments (clear)

  1. Pot calls kettle black by Anonymous Coward · · Score: 5, Funny

    Says the site that doesn't have SSL support.

    1. Re:Pot calls kettle black by skegg · · Score: 4, Informative

      >> SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties

      Another benefit of SSL-done-right:
      preventing a third-party from injecting additional content -- e.g. a dangerous payload -- into the stream.

      It may not even be a malicious payload. Perhaps just commercial

  2. Literally any VPN is better than no VPN by Anonymous Coward · · Score: 4, Insightful

    Even a bad VPN is like WEP encryption on your wireless: It stops people from just reading your traffic without effort, prevents businesses from manipulating your traffic as it passes through their networks, and makes any attempt to do either a crime.

  3. Untrusted certs by rtkluttz · · Score: 4, Insightful

    I'm not sure he is talking about what I think he is talking about with untrusted certs. Self signed certs are MORE secure as long as the party at both ends understands the process. You simply cannot have a true secret when there is a 3rd party. Certificate authorities are only there to make the process acceptably easy for those who don't know what is going on.

    --
    Digital is, by definition, imperfect. Analog is the way to go.
    1. Re: Untrusted certs by JourneymanMereel · · Score: 4, Informative

      I'm pretty sure that my SSL VPN would not be included in this survey as we don't publish it and only give the URL to those that need it... But if it were, it would be in this insecure category because of an untrusted certificate. Except it's not. The certificate is signed using our internal CA which is trusted on all company computers. We don't want people connecting using their personal computers so I'm not at all concerned with putting a globally trusted cert on it. Other than that, it is secure. We don't use SHA1, we do use TLS rather than SSL, and we use FS. So while they would call it a fail, I would not.

      --
      Life has many choices. Eternity has two. What's yours?
  4. Re: Is there a rankings site? by man+bash · · Score: 4, Informative

    The Qualys SSL labs site is pretty useful: https://www.ssllabs.com/