US-CERT Warns of Flaw in SSL-VPNs

SHARE
Share it on Twitter  
Share it on Facebook  
Share it on Google+
Share it on Linked in  
Email  

Sean Michael Kerner writes in his blog today...

"From the 'Flaws Without Fixes files"

US-CERT is now warning against a potentially dangerous flaw in the SSL-VPN implementations from over two dozen vendors including industry giant Cisco.

"Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms," US-CERT warns. "An attacker could use these devices to bypass authentication or conduct other Web-based attacks."

Sounds scary, doesn't it? But I'm not so sure we all need to run for the hills and abandon SSL-VPNs (yet).

At issue is the same origin policy that all modern Web browsers use. Same origin is basically an attempt to limit the resources that can access data from a particular site. That is, you generally don't want one site having access to the other sites you have open.

Read the rest of the blog post here.

JOIN THE DISCUSSION

Loading Comments...