AnsweredAssumed Answered

EXPORT ciphers are treated as WEAK rather than INSECURE

Question asked by Dave Garrett on Dec 5, 2014
Latest reply on Dec 5, 2014 by Dave Garrett

I happened to take a look at a few of the "Recent Worst" scans. I seriously think you need to add an F- rating for some of these.

 

There's an odd inconsistency I noticed: there are ciphers listed as INSECURE (in red) that are arguably more secure than some ciphers listed as WEAK (in orange). All the EXPORT ciphers were explicitly designed to be insecure, seeing as the US gov wanted to ban exporting usable cryptography for quite a while. Any server supporting them at this point is past "insecure" into some level of incompetence that words can't properly describe (especially one hosted in the US). Please mark these things at least INSECURE. I'd suggest a "FARCICALLY INSECURE" label with a little fire icon or something, but that's probably overkill.

 

For servers actually using these things, I'd also like to request a red/pink note box in the summary be added saying something to the effect of "This server supports 1990s era US export ciphers which provide virtually no security. Grade set to F." (in addition to whatever language is used for SSL2, which is likely the case)

 

The example I noticed this on:

Qualys SSL Labs - Projects / SSL Server Test / catherineskids.org

Qualys SSL Labs - Projects / SSL Server Test / catherineskids.org (dev version)

 

In particular, I see that TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 is listed as WEAK rather than fully INSECURE. Yep, that's 40bit RC2 with MD5. I think WEAK is an understatement that needs addressing at some point.

Outcomes