Credential theft, mitigations thereof

It was with some interest that I read an Infosec Island post about forcing transport security whilst connecting to various websites, but I want to counter-recommend some advice given.

The information on STS is correct, so far as I know – I don’t use the plugin myself – but it was with a bit of horror that I noted the author recommended using a VPN as partial mitigation against this attack.  We considered and rejected this advice for our own advisory (my own nearly identical blog post on it is here) when discussing Firesheep.

A VPN may be configured with a split tunnel – that is, traffic destined for the organisation hosting the VPN goes through the secure tunnel, but other traffic does not.  In other words, a split tunnel VPN does nothing to protect you against credential theft of the sort being discussed.

Our own VPN will be configured in such a manner, which is counter to the practise at many large companies, but which we believe is the only workable way when scaling out to thousands of users with uncontrolled access points.  The last thing we want is for our VPN to be hammered by BitTorrent traffic the instant somebody forgets, or for people to complain to us that their home network stops working as soon as they fire up the VPN.

Before following Mr. Coates’ advice, find out how your VPN works.  The illusion of security is worse than none at all.