The use of secure sockets layer (SSL) virtual private networks (VPNs) opens up networks to security risks, according to a white paper by NCP Engineering.
The NCP white paper:–
Debunking the Myths of SSL VPN Security - warns that vulnerabilities are endemic is SSL to the point where banks have their customer data stolen at “an alarming rate" and "web application developers create a false sense of security by trusting the confidence and credibility of a protocol that is likely to fail them before they can get through a single development cycle.”
Many of the attack vectors used against SSL are from other technologies using SSL or that SSL makes use of, such as block ciphers, stream ciphers, document format, and authentication and authorization schemes, according to the white paper.
The white paper exposes what it terms “myths” about SSL VPN. One myth is that SSL VPN is clientless. It warns that clientless SSL VPN products from multiple vendors can enable an attacker to use these devices to bypass authentication or conduct other web-based attacks.
“By convincing a user to view a specially crafted web page, a remote attacker is able to obtain VPN session tokens and read or modify content, including cookies, script or HTML content, from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker is able to capture keystrokes, while a user is interacting with a web page”, according to the white paper.
“Clientless is a nice marketing term. It sounds great”, commented Rainer Enders, one of the authors of the report and chief technology officer for the Americas with NCP Engineering. “Guess what, it is not clientless”, he told Infosecurity.
Another myth identified by the white paper is that online banking via SSL sessions is secure. Banks use SSL for web browser banking sessions to provide secure transfer of sensitive information from customers or partners. Hackers exploited a weakness in the SSL connection and the web browser to breach Citigroup credit card customers information, the white paper noted.
“If your browser has security flaws, your SSL VPN has security flaws”, warned Enders.
Another myth, according to the paper, is that using trusted certificates from a certificate authority is secure. “Certificates used to authenticate an SSL connection allow for the certain identification of each party and for the negotiation of an encrypted channel for communication. The certificates themselves are files whose alteration can be easily detected and whose origin are verified by a trusted certificate authority, such as Comodo or VeriSign”, the white paper explained.
The problem is that the trusted certificate authority can be hacked, as happened with Comodo earlier this year. A half dozen of Comodo’s registration authorities (RAs) were hacked into, and the hackers obtained digital certificates. The hackers could spoof the certificates, enabling them to pose as Google and Yahoo and gained access to information over a secure connection, the white paper said.
Enders recommends using a hybrid solution - similar to one offered by his company - that includes both SSL VPN and IPSec to address security issues with both technologies.
Many of the attack vectors used against SSL are from other technologies using SSL or that SSL makes use of, such as block ciphers, stream ciphers, document format, and authentication and authorization schemes, according to the white paper.
The white paper exposes what it terms “myths” about SSL VPN. One myth is that SSL VPN is clientless. It warns that clientless SSL VPN products from multiple vendors can enable an attacker to use these devices to bypass authentication or conduct other web-based attacks.
“By convincing a user to view a specially crafted web page, a remote attacker is able to obtain VPN session tokens and read or modify content, including cookies, script or HTML content, from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker is able to capture keystrokes, while a user is interacting with a web page”, according to the white paper.
“Clientless is a nice marketing term. It sounds great”, commented Rainer Enders, one of the authors of the report and chief technology officer for the Americas with NCP Engineering. “Guess what, it is not clientless”, he told Infosecurity.
Another myth identified by the white paper is that online banking via SSL sessions is secure. Banks use SSL for web browser banking sessions to provide secure transfer of sensitive information from customers or partners. Hackers exploited a weakness in the SSL connection and the web browser to breach Citigroup credit card customers information, the white paper noted.
“If your browser has security flaws, your SSL VPN has security flaws”, warned Enders.
Another myth, according to the paper, is that using trusted certificates from a certificate authority is secure. “Certificates used to authenticate an SSL connection allow for the certain identification of each party and for the negotiation of an encrypted channel for communication. The certificates themselves are files whose alteration can be easily detected and whose origin are verified by a trusted certificate authority, such as Comodo or VeriSign”, the white paper explained.
The problem is that the trusted certificate authority can be hacked, as happened with Comodo earlier this year. A half dozen of Comodo’s registration authorities (RAs) were hacked into, and the hackers obtained digital certificates. The hackers could spoof the certificates, enabling them to pose as Google and Yahoo and gained access to information over a secure connection, the white paper said.
Enders recommends using a hybrid solution - similar to one offered by his company - that includes both SSL VPN and IPSec to address security issues with both technologies.
-News Source (Info Security)
LINK TO OUR HOME PAGE :
Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info.
Thank You !
-Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You!
-Team VOGH
Categories:
vulnerablity