[WEB SECURITY] Re: [Webappsec] weak ssl ciphers

Tim tim-webappsec at sentinelchicken.org
Mon Apr 7 15:15:40 EDT 2008

Hello Travis,

On Mon, Apr 07, 2008 at 02:56:12PM -0400, Travis Altman wrote:
> i've been trying to find some documentation on how long it would take to
> decipher weak SSL keys (40 and 56 bit ciphers) but can't seem to find any.
> does anyone know of any good documentation on this?  i would like to have
> this documentation for recommendations on disabling weak ciphers.

I'm not sure how long this would take on a typical system nowadays.
Hopefully someone will chime in with some numbers.

A related question that I would like to bring up:  Given that RC4 is
commonly available as a weak/export cipher, does anyone know how hard it
would be to attack RC4's weak IV issues to divulge a key more quickly?
Would it be possible to gather enough IVs quickly enough to make it
worth the effort instead of just brute forcing the key directly?


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

More information about the websecurity mailing list