90% of SSL VPNs use insecure or outdated encryption, putting your data at risk

Have you ever thought how secure and reliable your SSL VPN? Probably you should.

In December 2015, we conducted a research on SSL/TLS encryption of the largest public email service providers that helped several large companies to improve the quality and reliability of their email servers SSL/TLS encryption. Encryption becomes vital these days, largest companies such as Google, perform daily security awareness about its importance.

This is why we recently decided to investigate the current state of affairs on SSL VPN (Virtual Private Networks) market. In order to do so, High-Tech Bridge conducted a large-scale Internet research on live and publicly-accessible SSL VPN servers. In a non-intrusive way, we have scanned 10’436 randomly selected publicly available SSL VPN servers (taken from a scope of 4 million randomly selected IPv4 addresses) from the largest vendors, such as Cisco, Fortinet and Dell.

The results were sadly impressive, showing that many people still consider SSL/TLS encryption as something applicable to HTTPS protocol only, forgetting that such vital Internet services, as email or VPN also rely on it.

Let’s have a look on the key findings from the research:

• 77% of tested SSL VPNs still use insecure SSLv3, few dozens still have SSLv2
  SSLv3 protocol was created in early 1996. Today, it’s considered deprecated, and majority of international and national security standards and compliance norms, such PCI DSS or NIST SP 800-52, prohibit its usage due to numerous vulnerabilities and weaknesses discovered in it during the years.
  
  

• 76% of tested SSL VPNS use an untrusted SSL certificate
  Untrusted certificate allows a remote attacker to impersonate the VPN server, perform Man-in-the-Middle attack, and intercept all the data, including files, emails and password the user pass over the allegedly “secure” VPN connection. The largest risk we observed particularly for SSL VPNs, was due to usage of default pre-installed certificate from the vendor.
  
  

• 74% of certificates have insecure SHA-1 signature, 5% have even older MD5
  Majority of web browsers plan to depreciate and stop accepting SHA-1 signed certificates, as algorithm’s weaknesses can potentially allow forging a certificate, impersonating a server and intercepting critical data.
  
  

• 41% of SSL VPNs use insecure 1024 key length for their RSA certificates
  RSA certificate is used for authentication and encryption key exchange. Since a while already, the RSA key length below 2048 is considered insecure, allowing various attacks.
  
  

• 10% of SSL VPN servers that rely on OpenSSL (e.g. Fortinet), are still vulnerable to Heartbleed
  Detected in April 2014, Heartbleed vulnerability affected all products using or relying on OpenSSL, allowing remote non-authenticated attacker to compromise the remote server in few minutes.
  
  

• Only 3% are compliant with PCI DSS requirements, none is compliant with NIST guidelines
  PCI DSS requirements and NIST guidelines can be considered a minimum required level of security.
  
  

At High-Tech Bridge, we have developed our own score-based system to grade reliability and security of SSL/TLS encryption. For this research, less than 3% of tested SSL VPNs got the highest “A” grade, while almost 86% got lowest failing “F” grade:

Ilia Kolochenko, CEO of High-Tech Bridge, comments: “Today many people still associate SSL/TLS encryption mainly with HTTPS protocol and web browsers, and seriously underestimate its usage in other protocols and Internet technologies.
At High-Tech Bridge, we provide a free online service to enable anyone to check security, reliability and compliance of his, or her, SSL/TLS connection. Our service supports any protocols that rely on SSL encryption, so you can test your web, email or VPN servers with it.
Since its launch in October 2015, already above 130’000 tests were performed, helping thousands of people to improve their security. In the near future, we are going to release more free services designed to make global Web a safer place. Stay tuned.”

As you can see from the above, a lot of things can be done to improve reliability and security of SSL VPNs. If you want to test how secure your SSL VPN is, you can use our free online SSL/TLS server test.

High-Tech Bridge Security Research High-Tech Bridge Security Research Team regularly writes about web and mobile application security, privacy, Machine Learning and AI.

Join ImmuniWeb’s Twitter community now. Hot news on Application Security, Machine Learning and AI.

User Comments

Add Comment

Allowed BB codes: [i], [u], [b], [quote]. Insulting or inappropriate comments will be immediately deleted. HTML is not allowed.

I agree with Privacy Policy

7 responses to "90% of SSL VPNs use insecure or outdated encryption, putting your data at risk"

Anonymous 2016-02-27 13:10:49 UTC Comment this

76% of tested SSL VPNS use an untrusted SSL certificate
signed certificats are not more secure.
cert autorities are foreced to giva master keys to NSA.

John 2016-02-28 17:57:22 UTC Comment this

Anonymous wrote:

76% of tested SSL VPNS use an untrusted SSL
certificate
signed certificats are not more secure.
cert autorities are foreced to giva master keys to NSA.

Foreign VPN companies are not beholden to the NSA.

Anonymous 2016-03-01 23:01:26 UTC Comment this

Heartbleed affected OpenSSL versions 1.0.1 through 1.0.1f.
Fortinet fixed this vulnerability starting FortiOS version 5.0.7.
Can you please justify your statement or please change it.

Anonymous 2016-03-01 23:27:16 UTC Comment this

Anonymous wrote:

Heartbleed affected OpenSSL versions 1.0.1 through 1.0.1f.
Fortinet fixed this vulnerability starting FortiOS version 5.0.7.
Can you please justify your statement or please change it.

How can someone justify the fact that people use outdated FortiOS?

Anonymous 2016-03-02 10:35:34 UTC Comment this

Anonymous wrote:

Anonymous wrote:

H eartbleed affected OpenSSL versions 1.0.1 through 1.0.1f.
Fortinet fixed this vulnerability starting FortiOS version 5.0.7.
Can you please justify your statement or please change it.

How can someone justify the fact that people use outdated FortiOS?

The point is that since 2 years FortiOS has the fix for Hearbleed issue, while this blog says the issue is still there.

That is what I've asked to justify.

5.0.7 was the first patch containing the fix when HB was discovered, and today, after 2 years, 5.0.7 is out of support. But this is not the point of discussion here.

Antoine Ducret 2016-03-07 17:51:08 UTC Comment this

FortiOS 5.0 is not out of support but out of engineering support for devices that support 5.2 version, but this is not the point here.

Regarding Heartbleed, we can see websites that are still vulnerable, meaning some organizations have not updated OpenSSL since the patch has been published.
The same way there are organizations that forgot they had a Fortigate somewhere or that do not patch their devices. This is exactly what the 10% shows.

Anonymous 2016-10-12 15:40:53 UTC Comment this

John wrote:

Anonymous wrote:

76% of tested SSL VPNS use an untrusted SSL
certificate
signed certificats are not more secure.
cert autorities are foreced to giva master keys to NSA.

Foreign VPN companies are not beholden to the NSA.

First, that's factually incorrect. Between mutual cooperation treaties, financial incentives and outright blackmail, many foreign companies could very well be "beholden to the NSA."

That has no bearing on the signing issue, however. If the CA has been compromised, it doesn't matter if your provider is compromised since MITM attacks would be possible with forged site certificates. If the cert is signed by a third party, you have to be sure both the third party CA and provider aren't compromised. If you must involve a 3rd party, you should probably avoid those in the standard trust lists for major web browsers and operating systems.

↑ Back to Top