Some Universities in England have poor SSL Security |
Many of the top universities in the UK were found to have very weak SSL security on their websites. The websites running HTTPS were tested, and 17 were discovered to have very poor SSL. A few of these are top 10 universities including UCL, Bath, Lancaster and Oxford. SSL security should not be taken lightly. The weak security leaves lecturers, students and anyone else with an account vulnerable to attacks from hackers. With poor SSL security, hackers can easily hijack a session on the university network and steal passwords. These passwords may make it possible for a hacker to access other accounts belonging to the user.
Hackers access the information in a number of ways when weak connections are present. They could use one of the many tools available and force to get access to sensitive user information. They could also use man-in-the-middle attacks to interfere with the connection between the server and client.
The ranking system used to determine how secure the security on university networks is based on the strength of the key exchanges and ciphers, validity of the certificate and the protocols the site supports. This includes both Transport Layer Security (TLS) and SSL. Many sites that need security support both types, but a user isn’t protected if the browser doesn’t support the technology.
SSL is not completely secure and weaknesses have been discovered in the past. A flaw discovered in 2009 that allowed data to be injected between users into encrypted traffic. This gave hackers a chance to give false commands in the lines of communication. A different attack, known as the BEAST attack, enabled hackers to decrypt data. The primary problem that the university websites had with SSL is incorrectly configured servers. Many websites, not just the ones belonging to well-known universities, have failed to implement the latest SSL security and have left themselves open for attack.
Implementing the latest SSL security is not a time consuming process. Many of the universities that were contacted quickly fixed the problem. The universities, which included UCL, the University of Nottingham, the University of Glasgow, Lancaster University and the University of Manchester, currently score an A as opposed to a C or D when rated on SSL security after the changes were made.
Some universities, which are not identified due to security concerns, did not respond at all to the inquiries sent by TechWeekEurope. Others addressed that an issue was present but did not make any immediate changes to fix the problem or stated that the problem will be addressed in the future. Even though the configurations for the newer and safer versions of SSL are available and not difficult to implement, many websites are still left vulnerable due to unsafe security practices.
Guest Post Author – Oliver Macpherson
Oliver Macpherson has worked for an ssl certificates provider for the past 10 years and believes in the importance of protecting confidential data where possible. He currently works for SSL247.