File it under hardly surprising: New research from High-Tech Bridge (HTB) found that 90 percent of all SSL VPN servers are “hopelessly insecure.” As noted by The Register, the firm scanned more than 10,000 publicly available virtual private network (VPN) servers for common vulnerabilities and uncovered everything from outdated SSL protocols to bad certificates and weak encryption.
Put simply, there’s a disconnect here: Providers talk big about scoring secure connections and Internet anonymity, but most have missed the mark.
Serious Flaws in SSL VPNs
HTB’s scan of VPNs — selected randomly from the 4 million IPv4 addresses available and hosted by some of the world’s largest vendors — revealed a number of disturbing trends. For example, 77 percent of all SSL VPN servers tested use SSLv3 protocol despite the fact that it’s two decades old and contains a number of serious flaws.
More worrisome is that 1 percent of the VPNs tested use SSLv2. Three out of four VPNs relied on untrusted SSL certificates, making it possible for attackers to launch man-in-the-middle (MitM) attacks. Thankfully, this one’s easy to avoid: Companies just need to upgrade from the default certificate installed by their vendor.
When it comes to encryption, over 40 percent of servers use 1024-bit keys for RSA certificates, considered much less secure than their 2048-bit cousins. Conducting financial transactions is also hit or miss on VPNs since just 3 percent are compliant with PCL DSS or NIST guidelines for handling credit card or secure government data. And saving the best for last: 10 percent of servers scanned are still using versions of OpenSSL vulnerable to Heartbleed. Yikes.
For most IT professionals and even private users, the revelation that VPNs aren’t as secure as promised isn’t exactly earth-shattering. It’s important, however, because virtual private server technology is quickly becoming one of the most popular forms of online privacy and anonymity.
As noted by Ars Technica, for example, the spread of VPNs has led multiple governments to draft legislation that either blocks or empowers these services, while streaming video services such as Netflix are taking steps to block VPNs from accessing country-specific versions of its content. The sheer number of providers and Internet pipelines, however, makes this a losing battle for any government or corporation; eventually, VPNs will win the day.
The problem? VPNs may not be secure. In addition to the large-scale issues reported by HTB, there are vulnerabilities that compromise specific security appliances and servers. As noted by PCWorld, for example, Cisco recently patched a critical issue with its ASA firewalls configured to act as VPNs, which allowed remote attackers to gain full control.
Ultimately, the growing use of VPNs to protect business data and consumer privacy, combined with an evolving tech landscape where getting to market first often means grabbing the lion’s share of consumer interest, has led to a strange reversal: Services designed to deliver secure connections are failing to meet this most basic goal. With 90 percent of SSL VPN servers categorized as “hopeless,” it’s time for a dose of reality. In many cases, opting for virtual privacy means virtually nothing.