Dave Garrett

Test's definition of "WEAK" is weak

Discussion created by Dave Garrett on Aug 22, 2014
Latest reply on Sep 5, 2014 by Ivan Ristić

I came across this site:

https://www.ssllabs.com/ssltest/analyze.html?d=ap2.commercialpress.com.hk

 

Someone reported that Firefox wouldn't even allow a security exception to load it. It's running an obsolete SSL3 only setup with really bad ciphers. The SSL Labs test calls the 56-bit DES ciphers in use there "WEAK". This is a fairly outdated interpretation at this point, as we'd generally also consider the RC4 and 3DES ones to be weak now. Export ciphers were designed to be weak in the 90s; in 2014 they should be considered a sign of brokenness.

 

I'd like to suggest the following changes:

1) Call 40/56-bit ciphers "INSECURE" and highlight them red instead of orange

2) Call RC4 and anything <128-bit "WEAK" and highlight them orange instead

(I would hope that a NULL cipher is already labeled as insecure)

 

The more precise the language is here, the easier it is to use this test to inform bug reporters of issues with a site they're trying to access. Sure, it fails outright, but I think that's primarily due to the insecure renegotiation. On other sites that support these old "weak" ciphers, it would be nice to have the cipher list show how glaring the problem is.

Outcomes