Originally published on Help Net Security

For a typical consumer, seeing Secured by SSL is all it takes to reassure them that whatever they are doing online is safe and secure. Awareness also teaches these same users that if https is in the browser, they are safe.

For most, SSL is necessary and offers a decent amount of security for the risks they may encounter online – however, any security or IT pro understanding mobile communications would rather use a personal IPSec VPN because they know one simple fact – SSL is not known for being secure. This is why those same professionals know why SSL VPN is the wrong decision for protecting mobile communications for their organisations.

Whether it is vulnerabilities or misconfigurations that are exploited, it is easy to successfully execute on an SSL connection. Whether your organisation uses SSL VPN for individual application connections or to proxy traffic, a ‘not even that sophisticated attacker’ can launch a Man-in-the-Middle (MiTM) attack on that connection. Before you say it doesn’t matter because the data will be encrypted, realise it is NOT the data an attacker is after; open source tools allow such MiTM attacks to view usernames and passwords in the clear. This includes banking credentials, Paypal credentials and even active directory credentials, which are used to access your corporate network. Essentially the keys to the castle!

The irony here is that many organisations use mobile device management (MDM) or enterprise mobility management (EMM), as it is ‘good enough’ for now. The same holds true for SSL VPNs which, yes, are more often than not used in addition to an MDM/EMM solution. Everyone has their own risk threshold, however, if you or any of your employees ever use hotel, airport or coffee shop Wi-Fi, your SSL VPN is an open hunting ground for attack.

Using SSL for either mobile applications or through the browser does provide better security for communications than nothing at all. However, each organisation needs to decide their own threshold for risk acceptance. It’s better to be armed with the facts to make an informed decision, as opposed to one guided by a vendor saying ‘not to worry, we have that covered’. Unfortunately, little has been learned from bugs like Heartbleed and Poodle that exploited SSL vulnerabilities.

Whilst we refer to the ’SSL Gateway’, the term ‘Gateway’ is a bit of a stretch as it is simply a server that proxies traffic using an SSL VPN in and out of your network – organisations must take note that this is NOT secure for all of the above reasons and beyond.

Those who pan handle SSL and such proxy, talk of strong multi-factor authentication. Although not a bad idea, it is readily available regardless of the architecture. What you don’t hear, however, is anything about strong access control using certificate authentication to be able to identify bad or malicious behaviour from a device that is non-compliant. This is because, by definition, a proxy pools all traffic together into the network, not providing any username resolution, into who is doing what and from which device. The end result is you may have some fancy technology that identifies something is wrong with some user group, but can’t identify the device. The phrase ’security by obscurity’ was built for such things.

The reason organisations have been using IPSec VPNs tied to certificate authentication for access control for over a decade is because it is secure and not prone to any of the nonsense mentioned above. Today, with mobile workers wanting more and more access to company network resources, a real, scalable, secure, easy to use solution that doesn’t mess with the user experience is essential.

IPSec is a huge advantage to mobile workers:

  • Simple to deploy and manage
  • Completely eradicates threats like MitM
  • Allows fast internet browsing and communication
  • Provides a first class user experience
  • Ensures protection cannot be tampered or circumnavigated.

Providing the IPSec solution is designed specifically for mobile, it is the best VPN to enable mobility on any device using any network or cloud service. Assuming that most apps your organisation use make use of SSL, which will suffice with no architectural changes at all, that SSL communication can run inside an IPSec tunnel. The only difference is it will then actually be secure!

So why is SSL still so dominant as a force in mobile secure communications? Because it’s already there. Most companies are already using it, most apps make use of it and vendors say it is the best there is. In addition, most organisations are unaware or unwilling to open their minds to readily available enhancements to securing their enterprise mobile communications.

Always know the facts and properly test solutions to YOUR list of requirements – which I hope include being secure.

Enter your details and we’ll get back to you