DES Cipher suite didn't mark as red about sslscan HOT 3 CLOSED

Originally ciphers <= 40 bits were flagged as red, and 56bit ciphers were flagged as yellow (to align sslscan with some of the other scanning tools like Nessus).

I think that you're correct that at this stage that both of them should be considered bad enough to be treated the same, so I've updated the colouring to this:

You'll probably never see ciphers flagged as yellow in practice, there are only a couple of ciphers between 56 and 112 bit, and they're stuff like SSL_FORTEZZA_KEA_WITH_FORTEZZA_CBC_SHA which I don't think is even implemented in OpenSSL.

~rbsec

from sslscan.

I believe for this will fall for RC4 as well as the new research shows that RC4 is not safe anymore. I'll open another issues regarding this if you feel that it should be modified in sslscan.

from sslscan.

IIRC the current best attacks against RC4 (Bar Mitzvah and NOMORE) require ~1 billion ciphertexts to be exploitable (and NOMORE will then give you ~10 million cookies to try), which isn't really in the realm of being viable for real world attacks (as with BEAST, NOMORE requires you to be able to execute JavaScript in the context of the target domain, which makes the attack somewhat less useful).

The mainstream browsers have announced this week that they're dropping support for RC4 early next year, so I think I'll change RC4 to red in sslscan once it's no longer supported by them.

from sslscan.