Nine out of 10 SSL VPN servers use insecure or outdated encryption, which puts corporate data at risk.
High-Tech Bridge conducted a study of 10,436 randomly selected SSL VPN servers from large vendors. The company claims that 77 percent of all SSL VPNs use SSLv3 or SSLv2 to encrypt traffic, yet both of these versions are considered insecure.
About 41 percent of the servers use insecure 1024 key length for their RSA certificates. Any RSA key length below 2048 is considered insecure as they open the door to attacks.
Untrusted SSL certificates are used by 76 percent of all SSL VPN servers, which could result in man-in-the-middle attacks.
Almost three quarters (74 percent) of certificates have insecure SHA-1 signatures and five percent us MD5 hashes, both of which are dated.
Despite available patches, 10 percent of SSL VPN servers that rely on OpenSSL are still vulnerable to Heartbleed.
Only three percent of the tested SSL VPNs followed PCI DSS requirements. None complied with NIST (National Institute of Standards and Technology) guidelines.
Ilia Kolochenko, chief exec of High-Tech Bridge said: “Today many people still associate SSL/TLS encryption mainly with HTTPS protocol and web browsers, and seriously underestimate its usage in other protocols and internet technologies. A lot of things can be done to improve reliability and security of SSL VPNs.”
High-Tech Bridge is providing a free tool that can inform users if their SSL VPN or HTTPS website is doing its job in protecting them.