The NCP white paper – Debunking the Myths of SSL VPN Security - warns that vulnerabilities are endemic is SSL to the point where banks have their customer data stolen at “an alarming rate" and "web application developers create a false sense of security by trusting the confidence and credibility of a protocol that is likely to fail them before they can get through a single development cycle.”
Many of the attack vectors used against SSL are from other technologies using SSL or that SSL makes use of, such as block ciphers, stream ciphers, document format, and authentication and authorization schemes, according to the white paper.
The white paper exposes what it terms “myths” about SSL VPN. One myth is that SSL VPN is clientless. It warns that clientless SSL VPN products from multiple vendors can enable an attacker to use these devices to bypass authentication or conduct other web-based attacks.
“By convincing a user to view a specially crafted web page, a remote attacker is able to obtain VPN session tokens and read or modify content, including cookies, script or HTML content, from any site accessed through the clientless SSL VPN. This effectively eliminates same origin policy restrictions in all browsers. For example, the attacker is able to capture keystrokes, while a user is interacting with a web page”, according to the white paper.
“Clientless is a nice marketing term. It sounds great”, commented Rainer Enders, one of the authors of the report and chief technology officer for the Americas with NCP Engineering. “Guess what, it is not clientless”, he told Infosecurity.
Another myth identified by the white paper is that online banking via SSL sessions is secure. Banks use SSL for web browser banking sessions to provide secure transfer of sensitive information from customers or partners. Hackers exploited a weakness in the SSL connection and the web browser to breach Citigroup credit card customers information, the white paper noted.
“If your browser has security flaws, your SSL VPN has security flaws”, warned Enders.
Another myth, according to the paper, is that using trusted certificates from a certificate authority is secure. “Certificates used to authenticate an SSL connection allow for the certain identification of each party and for the negotiation of an encrypted channel for communication. The certificates themselves are files whose alteration can be easily detected and whose origin are verified by a trusted certificate authority, such as Comodo or VeriSign”, the white paper explained.
The problem is that the trusted certificate authority can be hacked, as happened with Comodo earlier this year. A half dozen of Comodo’s registration authorities (RAs) were hacked into, and the hackers obtained digital certificates. The hackers could spoof the certificates, enabling them to pose as Google and Yahoo and gained access to information over a secure connection, the white paper said.
Enders recommends using a hybrid solution - similar to one offered by his company - that includes both SSL VPN and IPSec to address security issues with both technologies.