US-CERT Sees Danger Lurking in SSL-VPN

Netstat -vat by Sean Michael Kerner (bio)

A command line view of IT


“From the ‘Flaws Without Fixes files”

US-CERT is now warning against a potentially dangerous flaw in the SSL-VPN implementations from over two dozen vendors including industry giant Cisco.

“Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms,” US-CERT warns. “An attacker could use these devices to bypass authentication or conduct other Web-based attacks.”

Sounds scary, doesn’t it? But I’m not so sure we all need to run for the hills and abandon SSL-VPNs (yet).

At issue is the same origin policy that all modern Web browsers use. Same origin is basically an attempt to limit the resources that can access data from a particular site. That is, you generally don’t want one site having access to the other sites you have open.

[Continue reading this blog post at Netstat -vat by Sean Michael Kerner]

News Around the Web