90% of SSL VPNs use insecure or outdated encryption, putting your data at riskTuesday, February 23, 2016
Have you ever thought how secure and reliable your SSL VPN? Probably you should.
In December 2015, we conducted a research on SSL/TLS encryption of the largest public email service providers that helped several large companies to improve the quality and reliability of their email servers SSL/TLS encryption. Encryption becomes vital these days, largest companies such as Google, perform daily security awareness about its importance.
This is why we recently decided to investigate the current state of affairs on SSL VPN (Virtual Private Networks) market. In order to do so, High-Tech Bridge conducted a large-scale Internet research on live and publicly-accessible SSL VPN servers. In a non-intrusive way, we have scanned 10’436 randomly selected publicly available SSL VPN servers (taken from a scope of 4 million randomly selected IPv4 addresses) from the largest vendors, such as Cisco, Fortinet and Dell.
The results were sadly impressive, showing that many people still consider SSL/TLS encryption as something applicable to HTTPS protocol only, forgetting that such vital Internet services, as email or VPN also rely on it.
Let’s have a look on the key findings from the research:
77% of tested SSL VPNs still use insecure SSLv3, few dozens still have SSLv2
SSLv3 protocol was created in early 1996. Today, it’s considered deprecated, and majority of international and national security standards and compliance norms, such PCI DSS or NIST SP 800-52, prohibit its usage due to numerous vulnerabilities and weaknesses discovered in it during the years.
76% of tested SSL VPNS use an untrusted SSL certificate
Untrusted certificate allows a remote attacker to impersonate the VPN server, perform Man-in-the-Middle attack, and intercept all the data, including files, emails and password the user pass over the allegedly “secure” VPN connection. The largest risk we observed particularly for SSL VPNs, was due to usage of default pre-installed certificate from the vendor.
74% of certificates have insecure SHA-1 signature, 5% have even older MD5
Majority of web browsers plan to depreciate and stop accepting SHA-1 signed certificates, as algorithm’s weaknesses can potentially allow forging a certificate, impersonating a server and intercepting critical data.
41% of SSL VPNs use insecure 1024 key length for their RSA certificates
RSA certificate is used for authentication and encryption key exchange. Since a while already, the RSA key length below 2048 is considered insecure, allowing various attacks.
10% of SSL VPN servers that rely on OpenSSL (e.g. Fortinet), are still vulnerable to Heartbleed
Detected in April 2014, Heartbleed vulnerability affected all products using or relying on OpenSSL, allowing remote non-authenticated attacker to compromise the remote server in few minutes.
At High-Tech Bridge, we have developed our own score-based system to grade reliability and security of SSL/TLS encryption. For this research, less than 3% of tested SSL VPNs got the highest “A” grade, while almost 86% got lowest failing “F” grade:
Ilia Kolochenko, CEO of High-Tech Bridge, comments: “Today many people still associate SSL/TLS encryption mainly with HTTPS protocol and web browsers, and seriously underestimate its usage in other protocols and Internet technologies.
At High-Tech Bridge, we provide a free online service to enable anyone to check security, reliability and compliance of his, or her, SSL/TLS connection. Our service supports any protocols that rely on SSL encryption, so you can test your web, email or VPN servers with it.
Since its launch in October 2015, already above 130’000 tests were performed, helping thousands of people to improve their security. In the near future, we are going to release more free services designed to make global Web a safer place. Stay tuned.”
As you can see from the above, a lot of things can be done to improve reliability and security of SSL VPNs. If you want to test how secure your SSL VPN is, you can use our free online SSL/TLS server test.