Usage of insecure cipher

• Rule ID: go_gosec_crypto_bad_tls_settings
• Languages: go
• Source: bad_tls_settings.yml

Description

Using an insecure cipher suite in your application introduces a significant security risk. These weak cipher suites are susceptible to various attacks, compromising the security of your communications.

Remediations

• Do use modern, secure cipher suites that offer Perfect Forward Secrecy (PFS), such as ECDHE-RSA-AES256-GCM-SHA384 or ECDHE-RSA-CHACHA20-POLY1305. PFS ensures that even if future private keys are compromised, past communications remain secure.
• Do adopt TLS 1.3 whenever possible, as it includes enhancements that offer better security against various attacks. The Go standard library, for instance, automatically prefers the most secure protocol and cipher suite available.

  cfg := &tls.Config{
      MinVersion: tls.VersionTLS13,
  }

• Do not use obsolete or insecure cipher suites. Avoid any cipher suites that lack support for modern security standards or have known vulnerabilities.

References

• Mozilla's SSL Configuration Generator
• OWASP TLS Cipher String Cheat Sheet
• RFC 8446 - The Transport Layer Security (TLS) Protocol Version 1.3

Associated CWE

• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=go_gosec_crypto_bad_tls_settings

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=go_gosec_crypto_bad_tls_settings