Thursday, December 3, 2009

Vulnerability in VPN/SSL platforms: so what?

The US-CERT points that using a VPN/SSL to access arbitrary web sites circumvents the security features of modern browsers.

I have an odd sensation of being in a troubled IT/ITsec world when I read that. What seems so strange to me is not the vulnerability, it's that it requires a US-CERT advice for people to notice.

I mean... For years the web has been struggling to build protocols like HTTPS (and to get the mainstream browsers support it correctly). And we hear every day that even though the protocol is a jewel in itself, it is not sufficient for security. That's why we have vulnerability reports for browsers, anti-phishing features, certificate authorities, etc.

Now we build a new tool that will handle web sites and forward them to and fro and we should think that it does not deserve the same amount of care and time to mature? No, no, no...
Big expert organizations like Microsoft, Google or Mozilla struggle at it, why should Cisco, Juniper or SafeNet have it right from the first time?

Pessimistic: It's always the same game. You build something strong and then you build it anew making the same mistakes. And every time you get surprised.

Optimistic: Now that the vulnerability is public (I thought it always was!) maybe the VPN/SSL makers will improve their products.

Realistic: If you use the intranet from the Internet, you should be prepared to handle the security of the intranet as if it were exposed to the public. That means, for instance, investing some time in understanding a VPN/SSL product before entering wildcards in its policies.

EDIT 12/04/2009: Cisco says it very well ^^
"Administrators are advised to configure clientless SSL VPN sessions so that only trusted internal networks are accessed using the VPN session. All other connections should be accessed without using the SSL VPN session."