Re: [NSE][RFC] New cipher strength ratings for ssl-enum-ciphers

[Daniel Miller <bonsaiviking () gmail com>]

On Tue, Jul 17, 2012 at 2:36 PM, David Fifield <david () bamsoftware com> wrote:
> On Tue, Jul 17, 2012 at 02:30:22PM -0500, Daniel Miller wrote:
> > On Tue, Jul 17, 2012 at 11:39 AM, David Fifield <david () bamsoftware com> wrote:
> > > This looks fine to me, except for the change from weak/strong to A–F. If
> > > we're going to do that, let's discuss it and do ti as a separate patch.
> > > It needs new @output too.
> > >
> > > Please regenerate it with your Perl script; assign anything "A" to
> > > "strong" and everything else "weak". I'm curious to know if anything we
> > > had previously classified as "strong" is weak according to the SSL
> > > ratings.
> > >
> > > David Fifield
> >
> > I will do that. I'd like to keep a category for ciphers that do not
> > encrypt or that do not authenticate. I'm calling it "broken" for now,
> > but I'm open to suggestions. For clarification, here are the number of
> > ciphers with each score currently:
> >
> > 3 unknown strength
> > 263 A (strong)
> > 21 D (weak)
> > 13 E (weak)
> > 59 F (broken)
>
> +#!comment: CIPHER_SUITE                        STRENGTH  SCORE
> +TLS_NULL_WITH_NULL_NULL                        broken    F
> +TLS_RSA_WITH_NULL_MD5                          broken    F
> +TLS_RSA_WITH_NULL_SHA                          broken    F
> +TLS_RSA_EXPORT_WITH_RC4_40_MD5                 weak      E
>
> So actually what I'm hoping for is for this commit not to break backward
> compatibility with existing copies of ssl-enum-ciphers.nse. Change the
> database format or whatever, but do it in a separate commit. This commit
> should only be to change the strength ratings in the database file.
> Functional changes, even the one to cache the cipher list, should be
> separate commits.
>
> The letter grades are kind of nice, but there shouldn't be a grade of
> "E".
>
> David Fifield

I have separated the functional changes from the strength ratings
change, but FYI both versions of the script simply ignore fields after
the first 2. I'm attaching both patches, but I have already applied
the strength ratings change in r29264 (using the old database format).

The "E" score is from the ssllabs.com document. Obviously that's no
longer an issue after going back to the "strong/weak" metric. For
non-US list members who may not know, the standard academic grading
system here uses grades A through D, and F is for Failure (no E
grade).

Comments still welcome on the modifications for caching the cipher strengths.

Dan

Attachment: strength-ratings.patch
Description:

Attachment: cipher-caching.patch
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/