×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

UK Universities Caught With Weak SSL Security

samzenpus posted about 2 years ago | from the come-on-in dept.

Education 40

judgecorp writes "UK Universities have been found using weak SSL security implementations on their websites. An investigation by TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool launched by the Trustworthy Internet Movement earlier this year, which grades SSL security. Contacted by the site, most have put upgrades in place to improve security."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

40 comments

Denerdification of the Industry (5, Insightful)

Anonymous Coward | about 2 years ago | (#40476671)

In the end, Unis don't want web services to be their core business.
Where once Sysadmins managed the web, now it is run by project managers,
consultants, standardised, virtualised, outsourced or offshored.
The nerds get marginalised and the job gets dumbed down.
Quality falls, hilarity ensues. Everybody dies.

Re:Denerdification of the Industry (2)

Cryacin (657549) | about 2 years ago | (#40476981)

Silly question. Why not make the security of the university part of a few courses? One team sets up the defensive strategy, the next team the offensive. Switch mid term.

Re:Denerdification of the Industry (1)

L4t3r4lu5 (1216702) | about 2 years ago | (#40477037)

You missed the start of War Games, right? How about Hackers?

Students working on your security make for an underground market of answer sheets and grade changes.

Re:Denerdification of the Industry (1)

catmistake (814204) | about 2 years ago | (#40479129)

You missed the start of War Games, right?

The start of WarGames... let's see IIRC... Mr. Blonde nearly ended Leo McGarry because he didn't want to press the Big Red Button®... and it turned out the launch command was just an exercise, so it's a good thing Mr. McGarry had a conscience and didn't end the world, but they replaced all the silo monkeys with old blinking light props from Star Trek anyway, which set the stage for Skynet, the A.I. created by Cyberdyne Systems for SAC-NORAD, which we find out the following year regarded all humans as a threat; not just the ones on the other side, and decided our fate in a microsecond: extermination. Its too bad we didn't just let Joshua keep playing the game... Skynet wouldn't have had a chance against the WOPR.

Re:Denerdification of the Industry (0)

Anonymous Coward | about 2 years ago | (#40477083)

Start with the essential. Switch every desktop to Linux or another NIX flavor. Stop the Winbot commerce once and for all.

Re:Denerdification of the Industry (1)

tehcyder (746570) | about 2 years ago | (#40491571)

Start with the essential. Switch every desktop to Linux or another NIX flavor. Stop the Winbot commerce once and for all.

What would that have to do with their website's security? Do you think they are running their sites off a Windows desktop machine?

Re:Denerdification of the Industry (0)

Anonymous Coward | about 2 years ago | (#40477023)

In short, people who are totally and utterly uncompetent and ignorant, yet overpaid.

Re:Denerdification of the Industry (0)

Anonymous Coward | about 2 years ago | (#40477051)

I meant "incompetent"

Re:Denerdification of the Industry (0)

Anonymous Coward | about 2 years ago | (#40477091)

I liked uncompetent, it's a bit like unpossible which I also like.

Re:Denerdification of the Industry (1)

tehcyder (746570) | about 2 years ago | (#40491583)

In short, people who are totally and utterly uncompetent and ignorant, yet overpaid.

Whereas you, of course, are absolutely competent and brilliant, yet underpaid.

If it's really so easy to be "overpaid", why don't you go and do it? I'm sure you could disguise your 1337 knowledge if you tried.

Re:Denerdification of the Industry (0)

Anonymous Coward | about 2 years ago | (#40482413)

But but but my mom and dad said geeks would become the CEOs in the future, not the jocks!

Re:Denerdification of the Industry (1)

tehcyder (746570) | about 2 years ago | (#40491553)

Quality falls, hilarity ensues. Everybody dies.

That sounds like the last paragraph of a Samuel Beckett story. Good work.

Bloody Hell. (5, Funny)

VortexCortex (1117377) | about 2 years ago | (#40476787)

TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool

All right, which of you tossers went and buggered the curve?

Nice tool (4, Interesting)

oobayly (1056050) | about 2 years ago | (#40476801)

Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.

* Yes, I know, BEAST was published in September - I know I'm not worth my salt.

Re:Nice tool (2)

johnjones (14274) | about 2 years ago | (#40477095)

actually it does not matter I'll just poison your DNS since they don't have DNSSEC... BEAST is the least of their worries...

have fun now kids

Re:Nice tool (2)

jamesh (87723) | about 2 years ago | (#40477185)

Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.

* Yes, I know, BEAST was published in September - I know I'm not worth my salt.

OTOH, you took your medicine and fixed things rather than try and bury the report... you get to keep your geek card for now but we will require you to return your management card.

Re:Nice tool (2)

ledow (319597) | about 2 years ago | (#40477251)

My sites score an A, but are vulnerable to BEAST.

The problem I have is that I'm running an up-to-date Ubuntu LTS edition that apparently is vulnerable, so there's little I can do about BEAST short of recompiling everything myself from what I see.

But, to be honest, the SSL isn't protecting anything vital and is only really used by myself so BEAST is pretty much a non-issue.

My SSL cert cost me $50 for 5 years, so I'm not really worried but it does put it in perspective when it comes to how easy getting an "A" can be, even when you are vulnerable to a known attack. Kinda makes their rating pretty worthless, actually.

Re:Nice tool (1)

Thing I am (761900) | about 2 years ago | (#40477357)

You don't need to recompile anything. Just modified your Apache config to turn on SSLHonorCipherOrder and select which ciphersuites to use. SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

Re:Nice tool (1)

heypete (60671) | about 2 years ago | (#40477395)

Doesn't pretty much every modern browser support client-side workarounds that prevent BEAST? I know OpenSSL's supported it for years.

I suspect that the "vulnerable to BEAST" issues will disappear once OpenSSL releases (and the various distros distribute) a version that supports TLS 1.1 and 1.2, neither of which are vulnerable.

Oh noes! Weak SSL Security Settings! (5, Informative)

Anonymous Coward | about 2 years ago | (#40476911)

This is hilarious. "Weak SSL Security Settings" is what pentesters write to pad out their report when they run out of useful findings. Universities have the poorest computer security of any type of organisation, period. Now, there are a lot of reasons for that - one of which is the inherent conflict between running an "open" network and keeping things secure. But if "poor SSL security settings" is the worst security issue a uni has, they are doing incredibly well.

Weak SSL security is something you exploit if a) you're a government, or b) you're screwing around with people in a coffee shop. Most of the published attacks are academic, and the only tool people regularly use is sslstrip or attacks along those lines. Hell, most users click through certificate warnings anyway.

But hey, even though SSL is "not usually the actual problem", these things should be fixed. If you want to test your own site, head over to: https://www.ssllabs.com/ssltest/index.html and plug in your domain name. If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.

Re:Oh noes! Weak SSL Security Settings! (2)

SuricouRaven (1897204) | about 2 years ago | (#40477003)

My server is barely-configured and uses a self-signed cert for the wrong hostname. This should be good.

Grade: F
Score: Zero.

I'm not going to get it signed. Have you seen how much that costs?

Re:Oh noes! Weak SSL Security Settings! (1)

piripiri (1476949) | about 2 years ago | (#40477055)

Have you seen how much that costs?

StartSSL [startssl.com] provides class 1 certificates at no cost!

Re:Oh noes! Weak SSL Security Settings! (1)

AliasMarlowe (1042386) | about 2 years ago | (#40478773)

Have you seen how much that costs?

StartSSL [startssl.com] provides class 1 certificates at no cost!

Which might be way beyond GP's budget. Anyway, StartSSL's server appears to be down (slashdotted?).

Re:Oh noes! Weak SSL Security Settings! (1)

KiloByte (825081) | about 2 years ago | (#40477089)

That's because of the VeriSign/Thawte racket. They charge money for no work. According to SSL design, any certificate is supposed to undergo more checking that they currently do for EV certs. Since the CAs are not going to actually do the checking, it is time to move to DNSSEC-based signatures, which are strictly better than the present state. Even if the CAs themselves would be perfectly secure, they sell certificates to anyone who can read mail sent to the given domain, and if you can set DNSSEC, you can set a MX just as well. So the current state of SSL is nothing but a money grab.

Re:Oh noes! Weak SSL Security Settings! (1)

ledow (319597) | about 2 years ago | (#40477279)

I got a 5-year cert from GoDaddy for $50. It's really not that much if you've bothered to have an SSL port exposed to the world. It scores "A" on that site and doesn't produce any kind of cert warning in any browser that I know of (and Opera is particularly fussy about SSL certs).

Beyond that, a number of SSL suppliers give out free certs now for the lower end (not saying you'd score "A" but they probably wouldn't error out in most browsers and would give you a basic "padlock").

Just watch out. There are some companies (like my server host) trying to charge me £89 a year for something that I can get for $50 for 5 years. Just shop around, there's lots of cheap certs to be had and because it's a standard and they are signed by pretty much the same entities in the end, if it passes the browser tests, it's the same no matter what you paid for it.

Oh, and steer clear of EV certs. What a scam. You won't find a cheap one of those at all.

Re:Oh noes! Weak SSL Security Settings! (0)

Anonymous Coward | about 2 years ago | (#40479437)

You can get a 5 year cert for $29.95: http://www.cheapssls.com/index.php?dispatch=products.view&product_id=3 or a 5 year wildcard for $389.95: http://www.cheapssls.com/comodo-ssl-certificates/positivessl-wildcard.html

Re:Oh noes! Weak SSL Security Settings! (2)

petermgreen (876956) | about 2 years ago | (#40478015)

Have you seen how much that costs?

IIRC if you only need one domain on the cert then startssl will do it for free. If you want wildcards or multiple names on the cert then you will have to pay a bit but IIRC it's not horiffically expensive.

Re:Oh noes! Weak SSL Security Settings! (1)

JasterBobaMereel (1102861) | about 2 years ago | (#40477191)

These are open websites, no confidential information, it is just a public facing system

Like people "hacking the FBI" it is meaningless to have access to a website that only provides information, you already have the information before you hacked it ...

This is security company scanning websites that don't care and finding they are "insecure" according to their own tool ... ...most of these tools have scary warnings that a system is insecure "in flashing bright red letters" for very minor and largely irrelevant issues

Re:Oh noes! Weak SSL Security Settings! (0)

Anonymous Coward | about 2 years ago | (#40477247)

It's a shame that their test claims "BEAST vulnerable" and then links to a page with recommendations that, when implemented, still leave your site "BEAST vulnerable" (according to them anyway).

Huh?

Re:Oh noes! Weak SSL Security Settings! (1)

Enry (630) | about 2 years ago | (#40477335)

If I read the page correctly, it reduces the vulnerability to BEAST with the problem being that the full fix is on the client side.

Re:Oh noes! Weak SSL Security Settings! (2)

Kozz (7764) | about 2 years ago | (#40477307)

If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.

I'm not running one, but four. Still, not a big deal. I thought I'd check it out their reporting tool which tells me:

BEAST attack -- Vulnerable INSECURE (more info [qualys.com])
Secure Renegotiation -- Not supported ACTION NEEDED (more info [qualys.com])
Insecure Renegotiation -- Supported INSECURE (more info [qualys.com])

That's fine and dandy. But each of the "more info" links goes to a blog posting that discusses the topic just a little bit, and only one of them provides enough information to fix it. Thankfully our sites aren't handling financial transactions of any kind, or I might have to actually locate a fix... how is everyone else fixing this (esp. the renegotiation vulnerability) if there's nothing available to remedy it except for disabling renegotiation?

Re:Oh noes! Weak SSL Security Settings! (1)

thoughtsatthemoment (1687848) | about 2 years ago | (#40477531)

What's the reason for the feature of renegotiation? Why not just timeout and re-connect?

Re:Oh noes! Weak SSL Security Settings! (0)

Anonymous Coward | about 2 years ago | (#40477615)

One example: suppose you've got a web site, some of which is public and some of which requires a client certificate. When you visit the private part the server will renegotiate the security to request the client certificate. This happens seamlessly. Without renegotiation, the request would fail and HTTP doesn't have a status code that would make the client retry the request on a new connection.

Re:Oh noes! Weak SSL Security Settings! (1)

jonwil (467024) | about 2 years ago | (#40477473)

The bad thing is how many important SSL sites (banks and others) get a fail in various areas of the SSL test.

The SSL for my banks internet banking site fails both the "secure renegotiation" and "insecure renegotiation". Not that the other Australian banks are any better...

SSL over HTTP is there to soothe (-1)

Anonymous Coward | about 2 years ago | (#40476989)

Who manages the private keys?
What guarantee do you have that the private keys are not secretly handed over to other organizations?
If a certificate is loaded on a router or gateway, all traffic leaving the exit nodes is unencrypted. Who controls or sees that traffic? Where is that traffic going to?
Isn't trust the weakest link in any security?
Why should I trust an organization or a CA to manage my privacy or act on my behalf?
CAs were hacked in the past, because they were sloppy. They still are. They are in it for the money, not because they care about your privacy.

HTTPS is the answer for a false sense of security.

SSL not a good fit for uni (2)

fa2k (881632) | about 2 years ago | (#40477535)

Doing research requires setting up a lot of one-off services, like a logbook, wiki, etc. Getting correct certificates for these things is a pain, and it's just not done. So users end up having to accept a large number of self-signed certificates, and bypass the annoying warnings in Firefox. SSL seems to have been designed for large shopping websites, while temporary and small-time web sites / services can't use it effectively. Using a self-signed certificate is much better than not encrypting data, as it prevents snooping in most cases (except for MITM attacks), so this is done. It would be good if browsers adopted a model more similar to SSH's "known_hosts", where there was a simple prompt for first-time visits to sites with unknown self-signed certificates, and the certificate was saved. They could reserve the ridiculous end-of-the-world warnings (like they show currently) for when the certificate changed unexpectedly. People should probably never use short expiry dates for self-signed certificate (unless they set up a CA)

Tip of the iceberg... (1)

Anonymous Coward | about 2 years ago | (#40478195)

Unfortunately that's not the end of it. I recently found out my alma mater uses software to manage the alumni records from a company called Blackbaud. The software includes a website that alumni can use to keep the university up to date with their contact details, find out about events and hunt down old classmates. The engineers at Blackbaud in their infinite wisdom chose to store passwords in a recoverable format. I nearly flipped when I did a password recovery a few weeks back and was sent my actual password... in plaintext.

I contacted the university and after a long wait, during which the linkedin password leak occurred, I got the answer of "we use this software, there's nothing we can do about it".

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...