[olug] SSL VPN Vulnerabilities?

Daniel Linder dan at linder.org
Thu May 19 21:58:30 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jim <jameso at elwood.net> wrote:
> The SSL VPN tools I know of, like OpenVPN, are completely separate
> from your web browser.

Rob Townley said:
> Thanks for pointing that out.  I was not referring to openvpn, but
> vpns and security in general.  The article i read on nwfusion.com
> would lead one to believe a web browser is commonly used.

I think the problem lies in the hi-jacking of the terms "SSL" and "VPN" by
marketing.  I have seen where Citrix (i.e. thin-client Window
workstations) say they offer a "VPN connection over a SSL link using a web
browser".  Turns out ot be a small Java application running in the web
browser that uses SSL (i.e. HTTPS) to move screen updates back and forth
between the server and the remote client.

This doesn't get around the key-logging problem (not much does), but it
does make it extremely easy to get a new user setup -- they only need a
supported browser, a supported JVM, and an Internet connection that allow
HTTPS connections.

The SSL VPNs that Jim is referring to are the more classic VPNs which use
SSL key exchange and encryption over port 443 (HTTPS).  This allows a user
to VPN out even if the firewall he is behind only allows HTTP/HTTPS
access.

In either case, if a key logger is installed on the workstation then their
password is lost.  The SSL VPN which does not use a browser should be
immune to browser based logging, but given the flexibility, power, and
features of ActiveX (or Java, or JavaScript) web applications, I wouldn't
be surprised if someone wrote a key logger that could capture outside of
the browser, especially if a few small un-patched holes are present. :(

Dan

- - - - -
Wait for that wisest of all counselors, Time.
 -- Pericles
"I do not fear computer,I fear the lack of them."
 -- Isaac Asimov
GPG fingerprint:9EE8 ABAE 10D3 0B55 C536  E17A 3620 4DCA A533 19BF

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCjQwGNiBNyqUzGb8RAnJcAJ4jIdx1SPDbrvAYJKCAtF99QhlyeACfQJY0
iPd2LO1QVxKIClb7FF/lW/c=
=tJ0l
-----END PGP SIGNATURE-----



More information about the OLUG mailing list