UK Universities Caught With Weak SSL Security

judgecorp writes "UK Universities have been found using weak SSL security implementations on their websites. An investigation by TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool launched by the Trustworthy Internet Movement earlier this year, which grades SSL security. Contacted by the site, most have put upgrades in place to improve security."

Denerdification of the Industry

[Anonymous Coward]

In the end, Unis don't want web services to be their core business.
Where once Sysadmins managed the web, now it is run by project managers,
consultants, standardised, virtualised, outsourced or offshored.
The nerds get marginalised and the job gets dumbed down.
Quality falls, hilarity ensues. Everybody dies.

Re:

[Cryacin]

Silly question. Why not make the security of the university part of a few courses? One team sets up the defensive strategy, the next team the offensive. Switch mid term.

Re:

[L4t3r4lu5]

You missed the start of War Games, right? How about Hackers?

Students working on your security make for an underground market of answer sheets and grade changes.

Re:

[catmistake]

You missed the start of War Games, right?

The start of WarGames... let's see IIRC... Mr. Blonde nearly ended Leo McGarry because he didn't want to press the Big Red Button®... and it turned out the launch command was just an exercise, so it's a good thing Mr. McGarry had a conscience and didn't end the world, but they replaced all the silo monkeys with old blinking light props from Star Trek anyway, which set the stage for Skynet, the A.I. created by Cyberdyne Systems for SAC-NORAD, which we find out the following year regarded all humans as a

Re:

[L4t3r4lu5]

+1 Pedantry to you, Sir.

Re:

[tehcyder]

Start with the essential. Switch every desktop to Linux or another NIX flavor. Stop the Winbot commerce once and for all.

What would that have to do with their website's security? Do you think they are running their sites off a Windows desktop machine?

Re:

[tehcyder]

In short, people who are totally and utterly uncompetent and ignorant, yet overpaid.

Whereas you, of course, are absolutely competent and brilliant, yet underpaid.

If it's really so easy to be "overpaid", why don't you go and do it? I'm sure you could disguise your 1337 knowledge if you tried.

Re:

[tehcyder]

Quality falls, hilarity ensues. Everybody dies.

That sounds like the last paragraph of a Samuel Beckett story. Good work.

Bloody Hell.

[VortexCortex]

TechWeekEurope found 17 of the top 50 British universities scored C or worse on the SSL Labs tool

All right, which of you tossers went and buggered the curve?

Nice tool

[oobayly]

Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.

* Yes, I know, BEAST was published in September - I know I'm not worth my salt.

Re:

[johnjones]

actually it does not matter I'll just poison your DNS since they don't have DNSSEC... BEAST is the least of their worries...

have fun now kids

Re:

[jamesh]

Our websites were rated at C/D, and our intranet was susceptible to BEAST*. It's also quite handy for advising you on what ciphers to disable. All at A now - it's given me a nice warm feeling inside.

* Yes, I know, BEAST was published in September - I know I'm not worth my salt.

OTOH, you took your medicine and fixed things rather than try and bury the report... you get to keep your geek card for now but we will require you to return your management card.

Re:

[ledow]

My sites score an A, but are vulnerable to BEAST.

The problem I have is that I'm running an up-to-date Ubuntu LTS edition that apparently is vulnerable, so there's little I can do about BEAST short of recompiling everything myself from what I see.

But, to be honest, the SSL isn't protecting anything vital and is only really used by myself so BEAST is pretty much a non-issue.

My SSL cert cost me $50 for 5 years, so I'm not really worried but it does put it in perspective when it comes to how easy getting an "A"

Re:

[Thing I am]

You don't need to recompile anything. Just modified your Apache config to turn on SSLHonorCipherOrder and select which ciphersuites to use. SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

Re:

[heypete]

Doesn't pretty much every modern browser support client-side workarounds that prevent BEAST? I know OpenSSL's supported it for years.

I suspect that the "vulnerable to BEAST" issues will disappear once OpenSSL releases (and the various distros distribute) a version that supports TLS 1.1 and 1.2, neither of which are vulnerable.

Re:

[tehcyder]

SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

That's easy for you to say.

Re:

[oobayly]

As has been mentioned, no recompiling is necessary:

https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls [qualys.com]

Oh noes! Weak SSL Security Settings!

[Anonymous Coward]

This is hilarious. "Weak SSL Security Settings" is what pentesters write to pad out their report when they run out of useful findings. Universities have the poorest computer security of any type of organisation, period. Now, there are a lot of reasons for that - one of which is the inherent conflict between running an "open" network and keeping things secure. But if "poor SSL security settings" is the worst security issue a uni has, they are doing incredibly well.

Weak SSL security is something you exploit if a) you're a government, or b) you're screwing around with people in a coffee shop. Most of the published attacks are academic, and the only tool people regularly use is sslstrip or attacks along those lines. Hell, most users click through certificate warnings anyway.

But hey, even though SSL is "not usually the actual problem", these things should be fixed. If you want to test your own site, head over to: https://www.ssllabs.com/ssltest/index.html and plug in your domain name. If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.

Re:

[SuricouRaven]

My server is barely-configured and uses a self-signed cert for the wrong hostname. This should be good.

Grade: F
Score: Zero.

I'm not going to get it signed. Have you seen how much that costs?

Re:

[piripiri]

Have you seen how much that costs?

StartSSL [startssl.com] provides class 1 certificates at no cost!

Re:

[AliasMarlowe]

Have you seen how much that costs?

StartSSL [startssl.com] provides class 1 certificates at no cost!

Which might be way beyond GP's budget. Anyway, StartSSL's server appears to be down (slashdotted?).

Re:

[KiloByte]

That's because of the VeriSign/Thawte racket. They charge money for no work. According to SSL design, any certificate is supposed to undergo more checking that they currently do for EV certs. Since the CAs are not going to actually do the checking, it is time to move to DNSSEC-based signatures, which are strictly better than the present state. Even if the CAs themselves would be perfectly secure, they sell certificates to anyone who can read mail sent to the given domain, and if you can set DNSSEC, you

Re:

[ledow]

I got a 5-year cert from GoDaddy for $50. It's really not that much if you've bothered to have an SSL port exposed to the world. It scores "A" on that site and doesn't produce any kind of cert warning in any browser that I know of (and Opera is particularly fussy about SSL certs).

Beyond that, a number of SSL suppliers give out free certs now for the lower end (not saying you'd score "A" but they probably wouldn't error out in most browsers and would give you a basic "padlock").

Just watch out. There are s

Re:

[petermgreen]

Have you seen how much that costs?

IIRC if you only need one domain on the cert then startssl will do it for free. If you want wildcards or multiple names on the cert then you will have to pay a bit but IIRC it's not horiffically expensive.

Re:

[JasterBobaMereel]

These are open websites, no confidential information, it is just a public facing system

Like people "hacking the FBI" it is meaningless to have access to a website that only provides information, you already have the information before you hacked it ...

This is security company scanning websites that don't care and finding they are "insecure" according to their own tool ... ...most of these tools have scary warnings that a system is insecure "in flashing bright red letters" for very minor and largely irreleva

Re:

[Enry]

If I read the page correctly, it reduces the vulnerability to BEAST with the problem being that the full fix is on the client side.

Re:

[Kozz]

If you're just running a "1 apache site", that satisfying green bar or "A grade" is just a few config stanzas and a restart away.

I'm not running one, but four. Still, not a big deal. I thought I'd check it out their reporting tool which tells me:

BEAST attack -- Vulnerable INSECURE (more info [qualys.com])
Secure Renegotiation -- Not supported ACTION NEEDED (more info [qualys.com])
Insecure Renegotiation -- Supported INSECURE (more info [qualys.com])

That's fine and dandy. But each of the "more info" links goes to a blog posting that discusses the topic just a little bit, and only one of them provides enough information to fix it. Thankfully our sites aren't handling financial transactions of any kind, or I might have to actually locate a fix... how is everyone else fixing this (esp. the renegotiation vulnerability) if there's nothing

Re:

[thoughtsatthemoment]

What's the reason for the feature of renegotiation? Why not just timeout and re-connect?

Re:

[jonwil]

The bad thing is how many important SSL sites (banks and others) get a fail in various areas of the SSL test.

The SSL for my banks internet banking site fails both the "secure renegotiation" and "insecure renegotiation". Not that the other Australian banks are any better...

SSL not a good fit for uni

[fa2k]

Doing research requires setting up a lot of one-off services, like a logbook, wiki, etc. Getting correct certificates for these things is a pain, and it's just not done. So users end up having to accept a large number of self-signed certificates, and bypass the annoying warnings in Firefox. SSL seems to have been designed for large shopping websites, while temporary and small-time web sites / services can't use it effectively. Using a self-signed certificate is much better than not encrypting data, as it prevents snooping in most cases (except for MITM attacks), so this is done. It would be good if browsers adopted a model more similar to SSH's "known_hosts", where there was a simple prompt for first-time visits to sites with unknown self-signed certificates, and the certificate was saved. They could reserve the ridiculous end-of-the-world warnings (like they show currently) for when the certificate changed unexpectedly. People should probably never use short expiry dates for self-signed certificate (unless they set up a CA)

Tip of the iceberg...

[Anonymous Coward]

Unfortunately that's not the end of it. I recently found out my alma mater uses software to manage the alumni records from a company called Blackbaud. The software includes a website that alumni can use to keep the university up to date with their contact details, find out about events and hunt down old classmates. The engineers at Blackbaud in their infinite wisdom chose to store passwords in a recoverable format. I nearly flipped when I did a password recovery a few weeks back and was sent my actual pa