AnsweredAssumed Answered

RC4-MD5 for SSLv3/TLSv1

Question asked by Fabrice LE GAL on Jul 4, 2013
Latest reply on Jul 4, 2013 by Ivan Ristić

Hello,

 

In the framework of PCI-DSS, we are performing vulnerability scan with nCircle appliance.

 

Recent scans consider RC4-MD5 (128bits) cipher in SSLv3/TLS as weak cipher and set CVSS score to 4.0 (so not compliant with PCI-DSS requirement).

 

The solution is to disable all ciphers using MD5 for MAC (Message Authentication Code).

 

I do not understand why they suddenly set these ciphers as weak now (and why they set unilaterally this score).

According to my search, i am not aware of rew or recent attack with this.

 

This cipher widely deployed in Internet.

 

SSL Labs scan still consider this cipher as secure enough.

 

Are you aware of something?

Any idea to argue with ncircle, please?

 

Thank you for your thought.

 

Regards,

Fabrice

Outcomes