New Study: SSL VPN Vulnerabilities in 90 Percent of Servers Scanned

By: James O'Brien| - Leave a comment

A striking number of secure sockets layer virtual private network (SSL VPN) servers appear to be vulnerable to cyberattacks, according to a new study that looked at more than 10,000 SSL VPN security profiles.

According to The Register, 9 in 10 of the servers examined in the new analysis were found to use obsolete, untrusted, insecure, out-of-compliance and exploitable encryption. The report characterized these faulty servers as “hopelessly insecure.”

“Put simply, there’s a disconnect here,” Security Intelligence noted. “Providers talk big about scoring secure connections and Internet anonymity, but most have missed the mark.”

The following highlights from the report include some of the most glaring vulnerabilities:

  • About 77 percent of the SSL VPNs used SSLv3 protocol, which dates back to 1996. Approximately 100 of the servers studied used even older protocol versions.
  • Seventy-six percent of the servers showed untrusted certificates, meaning that cybercriminals could impersonate the compromised servers and intercept data.
  • Nearly 74 percent of certificates associated with the SSL VPNs examined still used SHA-1 signatures. The SHA-1 cryptographic hash algorithm, dating to 1993, is slated to be done away with by 2017. The SHA-2 and SHA-3 signatures are the only versions currently approved by the National Institute of Standards and Technology (NIST), according to Netcraft.
  • Approximately 41 percent of the certificates featured sub-2048-bit keys, falling below the threshold considered least vulnerable to cyberattacks.

Users of a SSL VPN connect with private networks via the public Internet to access data in a secure conduit. SSL VPNs do this via either a portal website to which they present a security certificate before being passed through to the data or via a secure virtual tunnel that plugs users into network services.

The news of the vulnerabilities is not surprising within the IT and private-user community, according to Security Intelligence, but the findings are significant. Virtual private server technology is on the rise when it comes to user implementations. Finding so many servers with so many vulnerabilities will compromise data security in the near future unless businesses and consumers move to shore up the encryption measures in place.

Topics: ,


About The Author

James O'Brien

Freelance Writer

As a journalist and writer in the branded content space, James O'Brien covers business, technology, social media, marketing, film, food, wine, writing and news. The Nieman Journalism Lab has called his work in the custom content space "sponsored content done right." He has written for major regional newspapers, and he has managed and edited established, startup and turnaround newsrooms in varied markets, from community papers to major-city dailies. He consults for firms and businesses — startups to seasoned — on the creation of effective content strategies and the establishment of practical editorial calendars for enacting them. O'Brien holds a Ph.D. in Editorial Studies from the Editorial Institute at Boston University, where he researched and edited Bob Dylan's other-than-song writings. He is engaged in a bibliography for Oxford University Press, covering writings about filmmaker John Cassavetes. He is the author of "The Indie Writer's Survival Guide." His short stories and poetry are published in numerous journals and magazines.

Articles by James O'Brien
See All Posts