Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Security Encryption Privacy

90% of All SSL VPNs Use Insecure Or Outdated Encryption 67

An anonymous reader writes: 90% of all SSL-based VPNs use insecure or outdated encryption. According to research conducted by information security firm High-Tech Bridge, almost three-quarters of all SSL VPNs use the outdated SSLv3 and SSLv2. In addition, another three-quarters use untrusted certificates exposing users to MitM attacks. 74% use SHA-1 to sign certificates, while 5% of all SSL VPNs still use MD5. All of a sudden, VPNs don't look that secure anymore.
This discussion has been archived. No new comments can be posted.

90% of All SSL VPNs Use Insecure Or Outdated Encryption

Comments Filter:
  • by Anonymous Coward on Friday February 26, 2016 @05:10PM (#51594245)

    Says the site that doesn't have SSL support.

    • RTFA, it's useless anyway 'cause everyone uses outdated ciphers.

      • by Anonymous Coward

        That's as stupid as saying just because people can pick locks that locks are useless. SSL (even with outdated shitty ciphers) is still better than nothing as it prevents all hosts of casual attacks.

        • I don't see your point here. This site, I suppose you are talking about news.softpedia.com here, is an informational site only. There is no need to encrypt communication between your browser and this site. You do not exchange credentials and/or password and/or any confidential information. In case you haven't notice. SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties. I don't see any usage for this here.

          SSL doesn't prevent hosts

          • by skegg ( 666571 ) on Friday February 26, 2016 @07:07PM (#51595377)

            >> SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties

            Another benefit of SSL-done-right:
            preventing a third-party from injecting additional content -- e.g. a dangerous payload -- into the stream.

            It may not even be a malicious payload. Perhaps just commercial [slashdot.org]

          • ...There is no need to encrypt communication between your browser and this site... In case you haven't notice. SSL/TLS and encryption are useful only to prevent someone to eavesdropping the conversation and to authentify one or both parties.

            Those sound to me like very good reasons for using encryption regardless of whether it is "needed" or not. If i always use encryption, then I don't have to think about when to switch it on and off. It's always on.

            I don't think anyone thinks it will prevent a targeted attack, but it does keep my ISP from sending me emails regarding all the Scooby Doo parady porn someone keeps downloading using my account.

          • by Anonymous Coward

            There is one advantage in running TLS (HTTPS) for an information site like Slashdot, it makes it vastly harder for an ISP to inject ad content onto the page.

        • by Bengie ( 1121981 )
          SSL with outdated ciphers can leak your private keys. Sometimes something is worse than nothing.
  • or a guide which defines what the best ones are? Many Australians will want to know in the coming 12 months.

  • by Anonymous Coward on Friday February 26, 2016 @05:15PM (#51594303)

    Even a bad VPN is like WEP encryption on your wireless: It stops people from just reading your traffic without effort, prevents businesses from manipulating your traffic as it passes through their networks, and makes any attempt to do either a crime.

    • by TWX ( 665546 )
      WEP does not prevent people from reading traffic. WEP is broken to the point that it can be decrypted with a userland program that merely has to be run. It's harder to actually capture network traffic than it is to break WEP.

      Otherwise I would agree, provisionally, with your statement. Making the traffic hard to view is normally good enough for the vast majority of cases, it doesn't hve to be impossible to view. The problem though, like the aforementioned WEP example, is when the tools to break that w
    • Re: (Score:2, Informative)

      by Anonymous Coward

      I use a VPN service, and even if it were relatively breakable, it forces an attacker to be actively attacking the connection. Passive sifting is blocked, which is what I aim for. I use a VPN service for several reasons:

      1: So the local link doesn't have access to all traffic. Some ISPs used to stick identifying headers into every web page request via active MITM. With a VPN, this is blocked.

      2: Crap like Phorm is blocked, so in-flight ads and possibly malvertising is stopped cold.

      3: Passive filtering f

      • by vux984 ( 928602 )

        There are 2 parts to this; and I'm not sure which applies, or perhaps both:

        If 90% number applies only to VPN Proxy services for the purposes you mention; to simply give you 1 hop bridge past whatever nonsense your ISP is doing and to cheese off advertisers and region restricting geolocates and so forth that's one thing.

        But

        If if the 90% number also includes actual SSL VPNs protecting remote access to private networks, (or perhaps SSL VPN remote access to YOUR network), that's pretty horrifying.

    • This is exactly the reason I use a VPN at work for "everything" not customer-facing. I don't really care if a sophisticated attacker could get in; I have backups and would never pay anybody for that data. I'm more worried about casual access, and confidential business data ending up in web caches or other databases.

      Doesn't mean I leave things less secure than practicable, it just means that I don't get snooty about having it locked down well. The important thing is having it locked down at all!

      Heck, my car

  • Untrusted certs (Score:5, Insightful)

    by rtkluttz ( 244325 ) on Friday February 26, 2016 @05:16PM (#51594313) Homepage

    I'm not sure he is talking about what I think he is talking about with untrusted certs. Self signed certs are MORE secure as long as the party at both ends understands the process. You simply cannot have a true secret when there is a 3rd party. Certificate authorities are only there to make the process acceptably easy for those who don't know what is going on.

    • Re: Untrusted certs (Score:5, Informative)

      by JourneymanMereel ( 191114 ) <jake AT bugzilla DOT org> on Friday February 26, 2016 @05:30PM (#51594493) Homepage Journal

      I'm pretty sure that my SSL VPN would not be included in this survey as we don't publish it and only give the URL to those that need it... But if it were, it would be in this insecure category because of an untrusted certificate. Except it's not. The certificate is signed using our internal CA which is trusted on all company computers. We don't want people connecting using their personal computers so I'm not at all concerned with putting a globally trusted cert on it. Other than that, it is secure. We don't use SHA1, we do use TLS rather than SSL, and we use FS. So while they would call it a fail, I would not.

    • >> I'm not sure he is talking about what I think he is talking about with untrusted certs

      I had that impression too. When I've used VPNs with certs, it's been in situations where mutual authentication of specific certificates was used - no CAs necessary. Anyone who's used client keys with SSH or even just PGP would be familiar with the situation.

    • by khasim ( 1285 )

      I'm pretty sure that the journalist who wrote this did not understand the material. From TFA:

      High-Tech Bridge experts say that most of these untrusted certificates are because many SSL VPNs come with default pre-installed certificates that are rarely updated.

      The rarely updated part can be bad. Particularly if we're talking about SSL2 and so on.

      But unless the vendor is using the same certificate on all the boxes they sell, I'm not seeing a big problem.

    • by vidarlo ( 134906 )

      I'm not sure he is talking about what I think he is talking about with untrusted certs. Self signed certs are MORE secure as long as the party at both ends understands the process. You simply cannot have a true secret when there is a 3rd party. Certificate authorities are only there to make the process acceptably easy for those who don't know what is going on.

      You don't give your certificate to a third party by getting a signed certificate. You generate a signing request, which contains a check sum of your

    • Self signed certs are MORE secure as long as the party at both ends understands the process.

      I'm not sure how that can be since all root certs are simply self signed certs. There's just the ones that someone else has told us to trust such as the ones that come by default in your browser, and the ones that you deliberately choose to trust. There's also nothing that says you can't delete any "trusted" certs that you choose not to trust.

  • by known_coward_69 ( 4151743 ) on Friday February 26, 2016 @05:17PM (#51594319)
    I mean how else are no name companies supposed to sell you bandwidth for $5 or $10 a month unless they are mining your data?
    • by sims 2 ( 994794 )

      You mean like how verizon wireless charges up to $15/GB and embeds a tracking cookie in your web traffic by default?

      • a lot of those towers cost a lot of money to operate, even when not in use. rent, power, etc. lots of expenses not related to bandwidth. so you are paying for a lot of infrastructure that may be used maybe 40 hours a week at most
        • by sims 2 ( 994794 )

          Just to be clear are you saying VZW is injecting tracking information in my traffic to save me money?

        • Most of those expenses have been offloaded to the localities. It would be a LOT more expensive to have a cell phone if they all had to pay their fair share in physical space, taxes, spectrum and energy but most of that is subsidized. The real savings would come if they were actually forced to share the stuff the government gave them through your tax money.

  • by ls671 ( 1122017 ) on Friday February 26, 2016 @05:19PM (#51594339) Homepage

    Most machines running VPNs haven't updated their SSL libraries could be more precise. Maybe some VPNs bundle their own SSL libraries within their product but in that case, it would make more sense if they used the system wide libraries.

    Example, you don't need to update OpenVPN, only the SSL libraries:

    https://community.openvpn.net/... [openvpn.net]

    • by Burz ( 138833 )

      Problem is, their test site doesn't seem to recognize openvpn... claims these sites don't use openvpn.

      It may also be possible that -- since the PIA domains I gave it likely support protocols other than openvpn -- their tool saw something else on another port and stopped concluded "SSL/TLS not supported".

      So far, it seems like a junk study to me which is too bad.... I would have liked some accurate feedback about VPN services I'm interested in (including the service that /. is pushing).

      • by Burz ( 138833 )

        Correction: "... claims these sites don't support TLS." Sorry.

  • I'm typing VPN domains into their testing tool and its telling me "This site doesn't support SSL/TLS".

    Last time I checked, most VPNs based on openvpn use TLS, like the ones I tried. My VPN config for privateinternetaccess.com requires "tls-client" directive and it uses a certificate to validate the server.

    So I don't know what this article is talking about. If openvpn (which uses TLS) is too 'different' a protocol for their tools to examine, then there is something very wrong with the study its based on.

  • So 3/4 are insecure one way, "another" 3/4 are insecure another way.

    And the remaining -50% are fine?

  • VPNs not mentioned once in UK’s terrifying new internet powers draft bill (4 Nov 2015)
    https://thestack.com/security/... [thestack.com]
    ".. force UK ISPs to keep an Internet Connection Record (now jargonised into ‘ICR’) for the previous 12 months for all of its customers, and also for the fact that it begins to deliver on prime minister David Cameron’s frequently-aired misgivings about zero-knowledge consumer-level encryption ... "

    Why the disinterest in VPN's when all other network encryption w

Everybody likes a kidder, but nobody lends him money. -- Arthur Miller

Working...