My company's very relaxed IT department* doesn't understand the importance of certificates, and our VPN host site does not have a valid one. Given that we access the VPN by IP address, how serious a risk does the invalid certificate pose?

*(I'm aware that "relaxed" might not be the most appropriate adjective here. )

Mod note - I've moved this into its own thread.

Minimal issues. Spoofing IP addresses like that would require concerted and specific sabotage by your ISP (or, really, any ISP between you and your VPN server) to redirect your traffic to their server. But then you'd quickly notice you couldn't access your company resources. And what would they gain? A quick call to IT would reset your password.

Not saying it couldn't happen (the tinfoil hat brigade will be all over me otherwise) but that it's so unlikely I wouldn't worry about it unless you were a high value target and traveling to a country whose government would try to get your password.

Thanks for the info and the new thread.

Given that you're accessing it via IP address, a valid certificate will add zero value as they are tied to a hostname - so even with a valid cert you'll get a trust error.

However even if you were using a hostname, the answer is "it depends"! What type of VPN are you using? Is it one that use use a web browser to access (in which case you should be using a hostname, and a valid cert, and your IT people deserve to be sacked for doing otherwise), or is it one that uses a specific client?

"Valid" SSL certs are frequently not needed when using non-web-based VPNs. CA-signed SSL certs are used as a way of generating trust via a 3rd party, when you can't confirm that trust directly. You trust the CA, the CA trusts the SSL cert, and thus you trust the SSL cert.

For a VPN server, it's not uncommon to simply trust the SSL certificate directly - in which case a "self-signed" certificate is perfectly fine. (In practice it might not actually be 'self' signed, but it's basically the same thing). For example, with OpenVPN you would normally create a private key for the server, then put the public part of that key onto every client - that creates the trust relationship, so so no CA-signed certificate is required.

The VPN is hosted by Cisco hardware and accessed by IP address through Cisco AnyConnect.

Thanks for confirming that this missing certificate, at least, does not represent a vulnerability.

It is probably all ok until someone targets your company and wants to steal information, of course depends on where you work, it might be that there is nothing valuable to steal anyway

There is really no excuse to use IP address and no "real" certificates (or equivalent, as docbert explained about OpenVPN as one example) these days anymore, the cost is negligible and it's a one time thing to configure that takes no longer than a few minutes.