New Study: SSL VPN Vulnerabilities in 90 Percent of Servers Scanned
A striking number of secure sockets layer virtual private network (SSL VPN) servers appear to be vulnerable to cyberattacks, according to a new study that looked at more than 10,000 SSL VPN security profiles.
According to The Register, 9 in 10 of the servers examined in the new analysis were found to use obsolete, untrusted, insecure, out-of-compliance and exploitable encryption. The report characterized these faulty servers as “hopelessly insecure.”
“Put simply, there’s a disconnect here,” Security Intelligence noted. “Providers talk big about scoring secure connections and Internet anonymity, but most have missed the mark.”
The following highlights from the report include some of the most glaring vulnerabilities:
- About 77 percent of the SSL VPNs used SSLv3 protocol, which dates back to 1996. Approximately 100 of the servers studied used even older protocol versions.
- Seventy-six percent of the servers showed untrusted certificates, meaning that cybercriminals could impersonate the compromised servers and intercept data.
- Nearly 74 percent of certificates associated with the SSL VPNs examined still used SHA-1 signatures. The SHA-1 cryptographic hash algorithm, dating to 1993, is slated to be done away with by 2017. The SHA-2 and SHA-3 signatures are the only versions currently approved by the National Institute of Standards and Technology (NIST), according to Netcraft.
- Approximately 41 percent of the certificates featured sub-2048-bit keys, falling below the threshold considered least vulnerable to cyberattacks.
Users of a SSL VPN connect with private networks via the public Internet to access data in a secure conduit. SSL VPNs do this via either a portal website to which they present a security certificate before being passed through to the data or via a secure virtual tunnel that plugs users into network services.
The news of the vulnerabilities is not surprising within the IT and private-user community, according to Security Intelligence, but the findings are significant. Virtual private server technology is on the rise when it comes to user implementations. Finding so many servers with so many vulnerabilities will compromise data security in the near future unless businesses and consumers move to shore up the encryption measures in place.