According to Security Intelligence, an analytics company providing data for the information security industry, almost every SSL VPN server is woefully unprepared to keep your connection safe. That’s not surprising for those in the know, but the latest research out of the High-Tech Bridge (HTB) revealed that about 90 percent of SSL VPN servers are apparently “hopelessly insecure.” The Register has confirmed the findings, scanning over 10,000 public VPN servers looking for vulnerabilities, and they found them by the bucketful. Out of date SSL procedures, poor encryptions, and bad certificates were running rampant.
But why? There’s a big disparity and nobody’s talking about it. You’ll see providers boasting about incredible connections and the importance of internet anonymity, but when it comes down to it laziness prevails. Time and time again, it’s found out (too late) that the biggest breaches could have been easily prevented. Some businesses are still relying on basic shared servers instead of dedicated or virtual private server hosting, but it’s a two-way street when it comes to security.
The Biggest Issues
When HTB dove into the VPN scans, which were randomly chosen from a sample of four million IPv4 addresses dished up from the biggest vendors in the world, common and troubling themes appeared. It was discovered that 77 percent of SSL VPN servers in the analysis utilize SSLv3 protocol even though it’s over twenty years old—and it’s well known that it’s full of flaws. How could that be happening the majority of the time?
Only one percent of those tested actually used SSLc2. Seventy-five percent of VPNs use SSL certificates that are deemed untrusted, which makes it easy for skilled attackers to kick off man in the middle (MitM) attacks. It’s very easy to fix this. Simply upgrade from the certificate that was installed by the vendor. However, since just one percent of companies have done this, it’s obviously not a high priority and they’ve placed themselves squarely in sitting duck territory.
The Crypt Keeper
More than 40 percent of servers in the study depend on 1024-bit keys for their RSA certificates, which is notoriously a lot less secure than 2048-bit options. With only three percent of VPNs being compliant with PCL DSS/NISTA recommendations for credit card/secure government data processing, that’s another huge red flag. Finally, ten percent of servers in the study are using OpenSSL versions, the option that let Heartbleed happen.
A lot of IT pros weren’t surprised by the findings, but as VPN tech becomes the leading option for online privacy, it’s about to get a lot messier. The popularity of VPNs has caused some governments to create legislation to either stop or encourage VPN services, and companies like Netflix are hustling to block VPNs from allowing access to some country-specific Netflix versions. However, the amount of internet pipelines and providers is making this battle a losing one.
The bottom line is that VPNs aren’t necessarily secure and the majority of people aren’t taking measure to beef up that security.