This topic is likely more important than the Weak Key story I published earlier.  Unfortunately, we all DO get a vote on weak encryption, and almost everyone votes wrong - - enabling the defaults, which include easily attacked crypto algorithms.

I do a fair number of security assessments, and invariably I find servers that support "weak ciphers".  What this means is that encryption using weak algorithms is supported, methods such as the ones below (taken from a recent assessment):

    SSLv2
      EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
      EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
    SSLv3
      EXP-DES-CBC-SHA            Kx=RSA(512)   Au=RSA     Enc=DES(40)      Mac=SHA1   export    
      EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
      EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
    TLSv1
      EXP-DES-CBC-SHA            Kx=RSA(512)   Au=RSA     Enc=DES(40)      Mac=SHA1   export    
      EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
      EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export 


Note that no matter what the hash (MD5 or SHA1), the encryption is all using symmetrical algorithms with a 40 bit key(!), also the Key Exchange (Kx) is 512 bits for each.  And yes, you can still implement weak encryption in SSLv3 and TLS - why we all decided that should be in the default set for these newer protocols is beyond me!  We're (mostly) past the days where we need to worry about our customers being subject to the old export regulations that limited them to 40 or 56bit encryption (full disclosure - there are still a few exceptions).

The problem is that until very recently, support for these weak encryption methods was part of the default installation - so if you run setup and press enter or "OK" 15 times, this is what you'll have.  An attacker only needs to downgrade your encryption, either during the initial negotiation or by triggering a renegotiation, and they can decrypt your data.  With the right tools the decryption of these algorithms can be almost real-time.

The sad thing is that, while it's very easy to disable these algorithms, almost every server you'd care to check still supports them.  Mostly because folks don't know that they are there, don't know what they are, or don't know what the risks are.  Or don't care (though people are starting to come around on caring about it)

I'm hoping that Microsoft's recent emphasis and patches on weak keys will trigger some interest in what's going on inside our corporate webservers.

... Because if the application and the information is important to your organization, it should be considered important enough to protect properly!

===============
Rob VandenBrink
Metafore