Use of a broken or risky cryptographic algorithm

Description

A security concern arises when a cryptographically insecure cipher suite is used in an application. Such cipher suites may be vulnerable to various types of attacks, reducing the security of the communication channel.

Remediation

To enhance the security of TLS connections, it is crucial to use up-to-date and secure cipher suites and protocols. Here are the recommended steps to ensure the use of secure ciphers:

✅ Use Modern, Secure Cipher Suites

Select cipher suites that are known to be secure and have properties such as Perfect Forward Secrecy (PFS), which protects past communications even if future private keys are compromised.

✅ Adopt TLS 1.3 Where Possible

TLS 1.3 should be the preferred protocol as it includes improvements over previous versions, making it more secure against various attacks. Go's standard library will automatically prefer the most secure protocol and cipher suite available during the TLS handshake.

✅ Configure TLS Properly If Using TLS 1.0-1.2

In cases where TLS 1.3 is not an option and you must use TLS 1.0-1.2, ensure to configure the cipher suites to use those that support PFS, as listed below.

❌ Avoid Using Obsolete or Insecure Cipher Suites

Avoid any cipher suites that do not support modern security standards, including those without PFS or with known vulnerabilities.

The provided Go code examples demonstrate how to configure the tls.Config struct for a Go server to use TLS 1.3 or to specify a list of secure cipher suites when using TLS 1.0-1.2.

Resources

Associated CWE

OWASP Top 10

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_bad_tls_settings

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_bad_tls_settings

Ready to take the next step? Learn more about Bearer Cloud.