Top UK Universities Flunk SSL Security Tests

Tom Brewster is TechWeek Europe’s Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Exclusive: A TechWeekEurope investigation leads many of the UK’s top universities to boost website security

A significant number of universities have moved fast to shore up SSL security on their websites following an investigation by TechWeekEurope.

Using the SSL Labs tool, launched by the Trustworthy Internet Movement at the InfoSecurity 2012 conference, TechWeekEurope tested websites running HTTPS belonging to the top 50 universities, as ranked by the Guardian in its latest academic league table.

A total of 17 were found to be running weak SSL implementations, with many of them gaining a grade of C and some getting a D, where they should be aiming for the top A score. Those seen running weak SSL (Secure Sockets Layer) included a number of the top 10 universities, such as Oxford, UCL, Lancaster and Bath.

Exploiting education

Weak HTTPS connections at universities  could leave students, lecturers or anyone logging into the websites open to certain attacks. Hackers, if they can get onto the university network, could exploit vulnerable SSL to hijack end-user sessions, steal passwords and thereby access other accounts belonging to the user.

This could be done via man-in-the-middle attacks, where the attacker jumps in between the client and the site’s server to watch over traffic. Various tools are available to help attackers do this where vulnerable SSL protocols are in place. Malicious hackers could also use brute force to break weak  ciphers and gain access to user data, although theoretically this would be more difficult than an MITM attack.

SSL Labs ranks SSL implementations on the validity of the certificate, the strength of ciphers and key exchanges, and what protocols the site offers support for – which comprise different versions of either SSL or its bigger, better brother TLS (Transport Layer Security). Many sites support both old and new versions of SSL and TLS, but users can be left vulnerable if their browser is not configured to be compatible with the more robust protocols.

Various weaknesses have been found in SSL over the years. In 2009, researchers showed how a flaw, when exploited by renegotiating the protected session, allowed data to be injected into encrypted traffic between users. This could lead to fragmentation of SSL transactions, giving hackers the opportunity to inject false commands, such as password resets, into communications.

The BEAST (browser exploit against SSL/TLS) attack, shown to work last year, allowed attackers to silently decrypt data. Versions 1.0 and earlier of TLS and all versions of SSL are vulnerable to this attack. Unfortunately, versions 1.1 and 1.2 of TLS are widely unsupported on popular browsers today. Indeed, even though many of the universities who responded now have an A rating on HTTPS sites, they are still vulnerable to the BEAST.

Ivan Ristic, director of engineering at Qualys and creator of SSL Labs, said the weaknesses across university websites were “part of a worldwide problem with incorrectly configured SSL servers.”

“According to our research statistics, a very large number of servers are deployed with insecure defaults that enable all protocols and cipher suites, even the weak ones. Even among the world’s most popular web sites,” Ristic said.

Ristic’s research has shown around one-third of the most popular websites on the Internet support insecure SSL 2.0 and about 40 percent support insecure cipher suites.

“We are seeing a very slow improvement in SSL configuration,” he added. “Determining the best way to improve is difficult. The most promising direction is to raise awareness among administrators, in combination with improving the default settings to be secure.”

Unis respond fast

Yet when TechWeekEurope contacted the universities affected, many quickly improved the security of their SSL deployments, indicating the shift to better SSL does not take a significant effort.

Mike Cope, director of UCL’s Information Services Division, was one of the quickest movers. “Thank you for highlighting this.  We have looked into the web service you mention and agree the current security configuration could be improved,” Cope said. “ Following a review, the configuration has been updated and we now understand they report a more secure setup.  I think this shows we consider Internet security a high priority.  We will work through our other servers to identify where configurations can also be improved.”

A spokesperson from Information Systems at The University of Nottingham said the university was in the process of developing tougher SSL. “We appreciate notification of potential SSL weaknesses in one of our web services which were brought to our attention by TechWeekEurope,” they added.

“Our engineers are conducting a review of our portfolio of web services and have already begun taking steps to address this. The University manages a range of services with different levels of security appropriate to the differing requirements of the resources we host.

“Implementation of an extensive investment programme of system upgrades is currently underway to provide new firewalls, more robust authentication, and other campus network enhancements that protect our large and diverse user communities.”

A spokesperson from the University of Manchester said the issue on the highlighted webpage was fixed during a rolling programme of security patching this week and the SSL Labs report was showing an A rating.

The University of Glasgow said it had improved the areas identified and was getting an A rating too. “A wider review of our web-based facilities is also underway,” a spokesperson said.

Lancaster University said it had scheduled a re-boot of the relevant server to change the settings to allow only SSL 3.0 communication. “Our assessment was that the other security measures we have in place mean that this particular vulnerability could not be easily exploited, but should be fixed to ensure we maintain defence in depth,” the university said.

As for the country’s number two university, Oxford, it said the site identified supports a range of SSL options “including some older ones which are broadly recognised to have been superseded in terms of the level of security offered”. “As with all of our systems, security measures are reviewed and updated where and when appropriate. For this particular system an upgrade project is currently underway and we anticipate a number of older SSL options to be discontinued, subject to confirmation that this will not cause substantive accessibility problems for our users,” a spokesperson said.

Wait for it…

Some will not be so quick to improve SSL implementations. Oxford Brookes said it was working on a new Virtual Learning Environment service that will address the identified issues, but it won’t be live until September.

Dundee said it may have a little trouble in improving the security on one of its sites, but confirmed an update was on the way. “The link referred to concerns our access to a part of the site developed alongside a third party and in such instances we are often constrained by the recommendations of the software supplier. We do treat improvements to security as high priority and we have already planned to address this during our routine version upgrade in July,” the university said.

Bath said its “IT department is aware of the security issues you have identified and is in the process of developing updates on our test network.”

Keele admitted that SSL 2.0 support was present, but said it was “under review”.

Other universities did not respond to TechWeekEurope’s notification, but we will not reveal which sites were running weak HTTPS services for obvious security reasons.

Nevertheless, SSL security issues remain prevalent across the internet, even though better configuration is not massively difficult. To learn more about SSL/TLS best security practices, head here.

Are you a security nerd? Try our quiz!