February 29, 2016 By Douglas Bonderud 2 min read

File it under hardly surprising: New research from High-Tech Bridge (HTB) found that 90 percent of all SSL VPN servers are “hopelessly insecure.” As noted by The Register, the firm scanned more than 10,000 publicly available virtual private network (VPN) servers for common vulnerabilities and uncovered everything from outdated SSL protocols to bad certificates and weak encryption.

Put simply, there’s a disconnect here: Providers talk big about scoring secure connections and Internet anonymity, but most have missed the mark.

Serious Flaws in SSL VPNs

HTB’s scan of VPNs — selected randomly from the 4 million IPv4 addresses available and hosted by some of the world’s largest vendors — revealed a number of disturbing trends. For example, 77 percent of all SSL VPN servers tested use SSLv3 protocol despite the fact that it’s two decades old and contains a number of serious flaws.

More worrisome is that 1 percent of the VPNs tested use SSLv2. Three out of four VPNs relied on untrusted SSL certificates, making it possible for attackers to launch man-in-the-middle (MitM) attacks. Thankfully, this one’s easy to avoid: Companies just need to upgrade from the default certificate installed by their vendor.

When it comes to encryption, over 40 percent of servers use 1024-bit keys for RSA certificates, considered much less secure than their 2048-bit cousins. Conducting financial transactions is also hit or miss on VPNs since just 3 percent are compliant with PCL DSS or NIST guidelines for handling credit card or secure government data. And saving the best for last: 10 percent of servers scanned are still using versions of OpenSSL vulnerable to Heartbleed. Yikes.

Significant Reach

For most IT professionals and even private users, the revelation that VPNs aren’t as secure as promised isn’t exactly earth-shattering. It’s important, however, because virtual private server technology is quickly becoming one of the most popular forms of online privacy and anonymity.

As noted by Ars Technica, for example, the spread of VPNs has led multiple governments to draft legislation that either blocks or empowers these services, while streaming video services such as Netflix are taking steps to block VPNs from accessing country-specific versions of its content. The sheer number of providers and Internet pipelines, however, makes this a losing battle for any government or corporation; eventually, VPNs will win the day.

The problem? VPNs may not be secure. In addition to the large-scale issues reported by HTB, there are vulnerabilities that compromise specific security appliances and servers. As noted by PCWorld, for example, Cisco recently patched a critical issue with its ASA firewalls configured to act as VPNs, which allowed remote attackers to gain full control.

Ultimately, the growing use of VPNs to protect business data and consumer privacy, combined with an evolving tech landscape where getting to market first often means grabbing the lion’s share of consumer interest, has led to a strange reversal: Services designed to deliver secure connections are failing to meet this most basic goal. With 90 percent of SSL VPN servers categorized as “hopeless,” it’s time for a dose of reality. In many cases, opting for virtual privacy means virtually nothing.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today