13 June 2006, 13:25

SSL VPNs undermine the security models of browsers

Michal Zalewski has warned that SSL-VPNs can disable a principal security concept in Web browsers to block cross-domain access and may therefore pose a danger to all systems that can be reached via such a "Web VPN".

These browser-based SSL VPNs should not be confused with true VPN solutions like OpenVPN, which also uses SSL/TLS for authentication and encryption, but runs at the level of the network. The basic function of an SSL VPN gateway can be thought of as a simple HTTP(S) reverse proxy: users enter an address, such as https://vpn.foo.de and log on with a username and password. The SSL gateway then determines access to various resources in the enterprise network, which it maps to such URLs as https://vpn.foo.com/http/0/owa/exchange/ju/inbox and https://vpn.foo.com/http/0/files/ju. In this example, the Outlook Web access service and the file servers are running on different computers in the Intranet.

To prevent inadmissible manipulation and data theft, browsers block script access across domains. For instance, while a script from a web site at heisec.co.uk would be allowed to read and even overwrite other Heisec web sites, it would not be able to access the resources of a site at apple.com that is simultaneously displayed. An SSL VPN blurs the borders between domains by integrating them in a single VPN. At

https://vpn.foo.co.uk/http/0/foo.de/mail

and

https://vpn.foo.co.uk/http/0/bar.de/wmtip

the browser only sees the domain foo.co.uk. A hacker may then be able to exploit a cross-site scripting error in the wmtip application not only to read out a colleague's tips, but also all of his e-mails.

While such problems only occur when an SSL VPN allows for access to systems from different domains, special measures and careful design can help remedy the problem. Zalewski doubts that such remedies are being provided because manufacturers of SSL VPNs have not yet even discussed them.

Also see: