Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers

[David Fifield <david () bamsoftware com>]

On Tue, Jul 17, 2012 at 02:30:22PM -0500, Daniel Miller wrote:
> On Tue, Jul 17, 2012 at 11:39 AM, David Fifield <david () bamsoftware com> wrote:
> > This looks fine to me, except for the change from weak/strong to A–F. If
> > we're going to do that, let's discuss it and do ti as a separate patch.
> > It needs new @output too.
> >
> > Please regenerate it with your Perl script; assign anything "A" to
> > "strong" and everything else "weak". I'm curious to know if anything we
> > had previously classified as "strong" is weak according to the SSL
> > ratings.
> >
> > David Fifield
>
> I will do that. I'd like to keep a category for ciphers that do not
> encrypt or that do not authenticate. I'm calling it "broken" for now,
> but I'm open to suggestions. For clarification, here are the number of
> ciphers with each score currently:
>
> 3 unknown strength
> 263 A (strong)
> 21 D (weak)
> 13 E (weak)
> 59 F (broken)

+#!comment: CIPHER_SUITE                        STRENGTH  SCORE
+TLS_NULL_WITH_NULL_NULL                        broken    F
+TLS_RSA_WITH_NULL_MD5                          broken    F
+TLS_RSA_WITH_NULL_SHA                          broken    F
+TLS_RSA_EXPORT_WITH_RC4_40_MD5                 weak      E

So actually what I'm hoping for is for this commit not to break backward
compatibility with existing copies of ssl-enum-ciphers.nse. Change the
database format or whatever, but do it in a separate commit. This commit
should only be to change the strength ratings in the database file.
Functional changes, even the one to cache the cipher list, should be
separate commits.

The letter grades are kind of nice, but there shouldn't be a grade of
"E".

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/