A weak VPN isn’t necessarily better than no VPN

A Slashdot story last week discussed how 90% of all SSL VPNs use weak, obsolete encryption. And one comment said, “So? A weak VPN is better than no VPN.”

Not necessarily.

Intelligence agencies love weak encryption, because if people are willing to encrypt it, it must be valuable. It’s less work to find the weak encryption and break all of it than it is to sort through all of the unencrypted traffic. If criminal gangs aren’t using the same techniques, it won’t be long until they do.

So I don’t buy the argument that weak VPN is better than no VPN. I use really weak SSL on this site deliberately, so people who are looking for sensitive stuff can waste their time decrypting stuff about vintage electric trains. But if what you’re protecting is something you really need to keep out of the public eye, like financial data or trade secrets, it’s worth protecting with modern cryptography. At any given time, SSL Labs can tell you, in order of preference, what technologies your web site or VPN ought to be using.

If you found this post informative or helpful, please share it!