Vote NO to Weak Encryption!
This topic is likely more important than the Weak Key story I published earlier. Unfortunately, we all DO get a vote on weak encryption, and almost everyone votes wrong - - enabling the defaults, which include easily attacked crypto algorithms.
I do a fair number of security assessments, and invariably I find servers that support "weak ciphers". What this means is that encryption using weak algorithms is supported, methods such as the ones below (taken from a recent assessment):
SSLv2
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
SSLv3
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Note that no matter what the hash (MD5 or SHA1), the encryption is all using symmetrical algorithms with a 40 bit key(!), also the Key Exchange (Kx) is 512 bits for each. And yes, you can still implement weak encryption in SSLv3 and TLS - why we all decided that should be in the default set for these newer protocols is beyond me! We're (mostly) past the days where we need to worry about our customers being subject to the old export regulations that limited them to 40 or 56bit encryption (full disclosure - there are still a few exceptions).
The problem is that until very recently, support for these weak encryption methods was part of the default installation - so if you run setup and press enter or "OK" 15 times, this is what you'll have. An attacker only needs to downgrade your encryption, either during the initial negotiation or by triggering a renegotiation, and they can decrypt your data. With the right tools the decryption of these algorithms can be almost real-time.
The sad thing is that, while it's very easy to disable these algorithms, almost every server you'd care to check still supports them. Mostly because folks don't know that they are there, don't know what they are, or don't know what the risks are. Or don't care (though people are starting to come around on caring about it)
I'm hoping that Microsoft's recent emphasis and patches on weak keys will trigger some interest in what's going on inside our corporate webservers.
... Because if the application and the information is important to your organization, it should be considered important enough to protect properly!
===============
Rob VandenBrink
Metafore
Comments
https://www.ssllabs.com/ssltest/
Is there something better?
Anonymous
Jul 18th 2012
1 decade ago
http://sourceforge.net/projects/sslscan/
The 542 course also recommends several others, including scripting openssl.
I think the Qualys site would be fine unless your company/client has policies restricting the use of web sites for testing.
John
Jul 20th 2012
1 decade ago