Export-grade ciphers are still in use

October 7, 2016

Since World War II, U.S government has regulated the export of cryptography for national security considerations. The export of cryptographic technology and devices from the United States was severely restricted by U.S. law until 1992, but was gradually eased until 2000. Export-grade ciphers were created in 1990s in response to U.S. regulation. Until recent years, many web browsers and web servers still support these weak ciphers for backward compatibility.

Last year, security searchers published papers revealing vulnerabilities regarding export-grade ciphers. (You might have heard FREAK attack and Logjam attack.) Since then, vendors of web browser and web server have taken necessary steps to stop supporting export-grade ciphers.

A year after the outbreaks, Dell SonicWALL still observes web traffic using export-grade ciphers. Statistics of September 2016 shows hits of IPS sid:6366 "Client Hello with EXPORT Cipher Suites 1":

Export-grade ciphers are insecure and can damage the system. Dell SonicWALL urges all our customers to review their environment and patch the software that are still using these weak ciphers.