‘Export Ciphers’ Enabled
Export Ciphers Enabled
‘Export ciphers’ are low-grade cryptographic ciphers that were authorized to be used outside the US during the 1990’s. During this time encryption was heavily regulated by the US government as auxiliary military equipment. This allowed intelligence agencies greater ease to eavesdrop on foreign communication channels of interest.
Although export ciphers may be strong enough to secure data from the general public, they include many well known flaws that would allow state-sponsored actors to break the encryption if intercepted. Supporting export ciphers poses an excessive risk to users who may be using older web clients.
Because most SSL/TLS services negotiate ciphers in a top-down fashion, it is rare that clients such as web browsers will negotiate all the way to down to export grade encryption. Despite this, consideration should be given to downgrade attacks where negotiation of export ciphers may be forced by a MITM vector.
List of known export ciphers
| RFC Cipher Name | OpenSSL Cipher Name |
|---|---|
| SSL_RSA_EXPORT_WITH_RC4_40_MD5 | EXP-RC4-MD5 |
| SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 | EXP-RC2-CBC-MD5 |
| TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | EXP-DES-CBC-SHA |
| TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | EXP-DH-DSS-DES-CBC-SHA |
| TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | EXP-DH-RSA-DES-CBC-SHA |
| TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | EXP-EDH-DSS-DES-CBC-SHA |
| TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | EXP-EDH-RSA-DES-CBC-SHA |
| TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 | EXP-ADH-RC4-MD5 |
| TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | EXP-ADH-DES-CBC-SHA |
| TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA | EXP-KRB5-DES-CBC-SHA |
| TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA | EXP-KRB5-RC2-CBC-SHA |
| TLS_KRB5_EXPORT_WITH_RC4_40_SHA | EXP-KRB5-RC4-SHA |
| TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 | EXP-KRB5-DES-CBC-MD5 |
| TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 | EXP-KRB5-RC2-CBC-MD5 |
| TLS_KRB5_EXPORT_WITH_RC4_40_MD5 | EXP-KRB5-RC4-MD5 |
| TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 | EXP1024-RC4-MD5 |
| TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 | EXP1024-RC2-CBC-MD5 |
| TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA | EXP1024-DES-CBC-SHA |
| TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA | EXP1024-DHE-DSS-DES-CBC-SHA |
| TLS_RSA_EXPORT1024_WITH_RC4_56_SHA | EXP1024-RC4-SHA |
| TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA | EXP1024-DHE-DSS-RC4-SHA |
Remediation
Export grade ciphers should be removed unless support is explicitly required to support geographic areas that still may be regulated by federal laws.
Please reference the following URL for more information: https://en.wikipedia.org/wiki/Export_of_cryptography_from_the_United_States