Forgot your password?
typodupeerror
Education Security United Kingdom News

UK Universities Caught With Weak SSL Security 40

Posted by samzenpus
from the come-on-in dept.
judgecorp writes "UK Universities have been found using weak SSL security implementations on their websites. An investigation by TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool launched by the Trustworthy Internet Movement earlier this year, which grades SSL security. Contacted by the site, most have put upgrades in place to improve security."
This discussion has been archived. No new comments can be posted.

UK Universities Caught With Weak SSL Security

Comments Filter:
  • by Anonymous Coward on Thursday June 28, 2012 @06:01AM (#40476671)

    In the end, Unis don't want web services to be their core business.
    Where once Sysadmins managed the web, now it is run by project managers,
    consultants, standardised, virtualised, outsourced or offshored.
    The nerds get marginalised and the job gets dumbed down.
    Quality falls, hilarity ensues. Everybody dies.

    • by Cryacin (657549)
      Silly question. Why not make the security of the university part of a few courses? One team sets up the defensive strategy, the next team the offensive. Switch mid term.
      • You missed the start of War Games, right? How about Hackers?

        Students working on your security make for an underground market of answer sheets and grade changes.
        • You missed the start of War Games, right?

          The start of WarGames... let's see IIRC... Mr. Blonde nearly ended Leo McGarry because he didn't want to press the Big Red Button®... and it turned out the launch command was just an exercise, so it's a good thing Mr. McGarry had a conscience and didn't end the world, but they replaced all the silo monkeys with old blinking light props from Star Trek anyway, which set the stage for Skynet, the A.I. created by Cyberdyne Systems for SAC-NORAD, which we find out the following year regarded all humans as a

    • by tehcyder (746570)

      Quality falls, hilarity ensues. Everybody dies.

      That sounds like the last paragraph of a Samuel Beckett story. Good work.

  • by VortexCortex (1117377) <`VortexCortex' ` ... -retrograde.com'> on Thursday June 28, 2012 @06:35AM (#40476787) Homepage

    TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool

    All right, which of you tossers went and buggered the curve?

  • Nice tool (Score:5, Interesting)

    by oobayly (1056050) on Thursday June 28, 2012 @06:38AM (#40476801)

    Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.

    * Yes, I know, BEAST was published in September - I know I'm not worth my salt.

    • by johnjones (14274)

      actually it does not matter I'll just poison your DNS since they don't have DNSSEC... BEAST is the least of their worries...

      have fun now kids

    • by jamesh (87723)

      Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.

      * Yes, I know, BEAST was published in September - I know I'm not worth my salt.

      OTOH, you took your medicine and fixed things rather than try and bury the report... you get to keep your geek card for now but we will require you to return your management card.

    • by ledow (319597)

      My sites score an A, but are vulnerable to BEAST.

      The problem I have is that I'm running an up-to-date Ubuntu LTS edition that apparently is vulnerable, so there's little I can do about BEAST short of recompiling everything myself from what I see.

      But, to be honest, the SSL isn't protecting anything vital and is only really used by myself so BEAST is pretty much a non-issue.

      My SSL cert cost me $50 for 5 years, so I'm not really worried but it does put it in perspective when it comes to how easy getting an "A"

  • by Anonymous Coward on Thursday June 28, 2012 @07:05AM (#40476911)

    This is hilarious. "Weak SSL Security Settings" is what pentesters write to pad out their report when they run out of useful findings. Universities have the poorest computer security of any type of organisation, period. Now, there are a lot of reasons for that - one of which is the inherent conflict between running an "open" network and keeping things secure. But if "poor SSL security settings" is the worst security issue a uni has, they are doing incredibly well.

    Weak SSL security is something you exploit if a) you're a government, or b) you're screwing around with people in a coffee shop. Most of the published attacks are academic, and the only tool people regularly use is sslstrip or attacks along those lines. Hell, most users click through certificate warnings anyway.

    But hey, even though SSL is "not usually the actual problem", these things should be fixed. If you want to test your own site, head over to: https://www.ssllabs.com/ssltest/index.html and plug in your domain name. If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.

    • My server is barely-configured and uses a self-signed cert for the wrong hostname. This should be good.

      Grade: F
      Score: Zero.

      I'm not going to get it signed. Have you seen how much that costs?
      • by piripiri (1476949)

        Have you seen how much that costs?

        StartSSL [startssl.com] provides class 1 certificates at no cost!

        • Have you seen how much that costs?

          StartSSL [startssl.com] provides class 1 certificates at no cost!

          Which might be way beyond GP's budget. Anyway, StartSSL's server appears to be down (slashdotted?).

      • by KiloByte (825081)
        That's because of the VeriSign/Thawte racket. They charge money for no work. According to SSL design, any certificate is supposed to undergo more checking that they currently do for EV certs. Since the CAs are not going to actually do the checking, it is time to move to DNSSEC-based signatures, which are strictly better than the present state. Even if the CAs themselves would be perfectly secure, they sell certificates to anyone who can read mail sent to the given domain, and if you can set DNSSEC, you
      • by ledow (319597)

        I got a 5-year cert from GoDaddy for $50. It's really not that much if you've bothered to have an SSL port exposed to the world. It scores "A" on that site and doesn't produce any kind of cert warning in any browser that I know of (and Opera is particularly fussy about SSL certs).

        Beyond that, a number of SSL suppliers give out free certs now for the lower end (not saying you'd score "A" but they probably wouldn't error out in most browsers and would give you a basic "padlock").

        Just watch out. There are s

      • Have you seen how much that costs?

        IIRC if you only need one domain on the cert then startssl will do it for free. If you want wildcards or multiple names on the cert then you will have to pay a bit but IIRC it's not horiffically expensive.

    • These are open websites, no confidential information, it is just a public facing system

      Like people "hacking the FBI" it is meaningless to have access to a website that only provides information, you already have the information before you hacked it ...

      This is security company scanning websites that don't care and finding they are "insecure" according to their own tool ... ...most of these tools have scary warnings that a system is insecure "in flashing bright red letters" for very minor and largely irreleva

    • by Kozz (7764)

      If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.

      I'm not running one, but four. Still, not a big deal. I thought I'd check it out their reporting tool which tells me:

      BEAST attack -- Vulnerable INSECURE (more info [qualys.com])
      Secure Renegotiation -- Not supported ACTION NEEDED (more info [qualys.com])
      Insecure Renegotiation -- Supported INSECURE (more info [qualys.com])

      That's fine and dandy. But each of the "more info" links goes to a blog posting that discusses the topic just a little bit, and only one of them provides enough information to fix it. Thankfully our sites aren't handling financial transactions of any kind, or I might have to actually locate a fix... how is everyone else fixing this (esp. the renegotiation vulnerability) if there's nothing

    • by jonwil (467024)

      The bad thing is how many important SSL sites (banks and others) get a fail in various areas of the SSL test.

      The SSL for my banks internet banking site fails both the "secure renegotiation" and "insecure renegotiation". Not that the other Australian banks are any better...

  • by fa2k (881632) <pmbjornstad&gmail,com> on Thursday June 28, 2012 @09:05AM (#40477535)

    Doing research requires setting up a lot of one-off services, like a logbook, wiki, etc. Getting correct certificates for these things is a pain, and it's just not done. So users end up having to accept a large number of self-signed certificates, and bypass the annoying warnings in Firefox. SSL seems to have been designed for large shopping websites, while temporary and small-time web sites / services can't use it effectively. Using a self-signed certificate is much better than not encrypting data, as it prevents snooping in most cases (except for MITM attacks), so this is done. It would be good if browsers adopted a model more similar to SSH's "known_hosts", where there was a simple prompt for first-time visits to sites with unknown self-signed certificates, and the certificate was saved. They could reserve the ridiculous end-of-the-world warnings (like they show currently) for when the certificate changed unexpectedly. People should probably never use short expiry dates for self-signed certificate (unless they set up a CA)

  • by Anonymous Coward

    Unfortunately that's not the end of it. I recently found out my alma mater uses software to manage the alumni records from a company called Blackbaud. The software includes a website that alumni can use to keep the university up to date with their contact details, find out about events and hunt down old classmates. The engineers at Blackbaud in their infinite wisdom chose to store passwords in a recoverable format. I nearly flipped when I did a password recovery a few weeks back and was sent my actual pa

"The Amiga is the only personal computer where you can run a multitasking operating system and get realtime performance, out of the box." -- Peter da Silva

Working...