You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
x/crypto/ssh has "arcfour256", "arcfour128" in its list of default ciphers. These ciphers are now considered weak. I seems like it might be time to disable these by default as the documentation says:
// The allowed cipher algorithms. If unspecified then a sensible
// default is used.
Ciphers []string
These two ciphers are rc4 variants. They do discard the first 1536 bytes of the cipher stream so they are better than plain rc4 but they are still considered weak.
RC4 was disabled by default in crypto/tls in 2015: #10094.
I was dinged in a security audit because these ciphers were enabled. I can obviously remove them from my config, but with the OpenSSH changes it seemed like it might be more appropriate to update the defaults.
If this change is acceptable I'm happy to something for code review.
The text was updated successfully, but these errors were encountered:
Thanks for bringing this up. The OpenSSH changes suggest there is no sizable compatibility loss, so I’m strongly in favor. (Even if I think SSH has strong downgrade protection, so they wouldn’t affect most connections.)
x/crypto/ssh has
"arcfour256", "arcfour128"
in its list of default ciphers. These ciphers are now considered weak. I seems like it might be time to disable these by default as the documentation says:These two ciphers are rc4 variants. They do discard the first 1536 bytes of the cipher stream so they are better than plain rc4 but they are still considered weak.
OpenSSH disabled them by default in 7.2 (2016-02-29) and removed them completely in release 7.6 (2017-10-03).
RC4 was disabled by default in crypto/tls in 2015: #10094.
I was dinged in a security audit because these ciphers were enabled. I can obviously remove them from my config, but with the OpenSSH changes it seemed like it might be more appropriate to update the defaults.
If this change is acceptable I'm happy to something for code review.
The text was updated successfully, but these errors were encountered: