Research shows that 90% SSL VPN have major security risk2016-04-21
A latest research shows that 90% SSL VPN have used unsecured or outdated encryption methods, which puts enterprise data at risk during the transmission process.
High-Tech Bridge Company (HTB) conducted a large scale research based on publicly accessible SSL VPN servers. It randomly selected 4 million IPv4 addresses and passively scanned 10,436 publicly accessible SSL VPN servers from large suppliers Cisco, Fortinet and Dell. The scan exposed following problems:
1. 77% tested SSL VPN still use the old SSL v3 protocol, which has been existed from the year of 1996. What’s more, about 100 servers use SSL v2. Both the protocols are considered unsecured in the industry and have many loopholes that can be taken advantage of in the long term.
2. 76% tested SSL VPN use SSL certificate that is not trustful. This opens the door for middlemen to attack. Hackers may set up a false server to act as a legal communication participant to steal VPN connecting data that is supposed to be secure. HTB thinks enterprises should use SSL certificate preloaded by manufacturer.
3. 74% certificate use unsecured SHA-1 signature. 5% even use the older technic, MD5. Most webs plan to stop supporting certificate using SHA-1 signature before January 2017 for this old technic can no longer resist attack.
4. About 41% SSL VPN use unsecured 1024bit private key in RSA certificate. RSA certificate is used in links of validation and exchanging private key. Based on the latest research results of code deciphering and cipher analysis, the industry thinks RSA private key that are shorter than 2048bit in length is insecure and may become the breakthrough point of attack for hackers.
5. One tenth of the SSL VPN servers that use OpenSSL will be possibly attacked by heartbleed. Notorious heartbleed attack first made its appearance in April 2014, affecting all OpenSSL products and providing a direct way for hackers to steal encrypted private key, stored data and other sensitive information.
6. Only 3% SSL VPN meet the requirement of PCI DSS and none of the servers meet the requirement of NIST standard. PCI DSS requirement of credit card industry and NIST standard issued by America have drawn the basic security line for credit card transaction operations and companies concern government data.
VPN technology allows users to safely access to private network and share date remotely through public network. If you are just browsing the website, SSL VPN is better than the early version of IPsec VPN for it does not need to install client software.
Many network administrators obviously think that SSL and TLS encryption are better than HTTPS protocol only. But they forget key internet services like email also depend on them.
CEO of HTB, Ilia Kolochenko commented:” There are still many people connecting SSL/TLS encryption and HTTPS encryption to Web browser. These people seriously underestimate the integration ability of SSL and TLS encryption to other protocols and internet technologies.”
HTB has opened free service of checking SSL/TLS connection. This service support is fully based on SSL encryption protocol. Any interested reader can use it to test your Web, email or VPN.