iteria that MD5 & SHA-1 no longer meet, e.g.
https://duo.com/decipher/sha-1-fully-and-practically-broken-by-new-collision
https://shattered.io/
--- David A. Wheeler
password that's known to anyone other than that specific user. it's fine for a system to request a password on startup, or have a unique password set per instance, but a default password shared among instances is insecure.
* Uses a known insecure algorithm for security purposes, e.g., MD5 or SHA-1 or DES as a security mechanism. Non-security uses are fine.
--- David A. Wheeler
d be possible to generalize this existing CWE, but I fear that such a large change in meaning would be a problem.
Again, the underlying issue is that modern systems are too complex to assume that people will configure it. Systems will, in almost all cases, do whatever the default is. If the default for "normal use" is insecure, then the software is insecure.
--- David A. Wheeler
etically possible to configure into being secure". I'm sure
there will be many discussions.
That said, the first step is to acknowledge that "insecure by default" *IS* a
security vulnerability & specifically label it as a category of vulnerability.
People can then work to carefully def
are only known vulnerabilities, then you can't discover
vulnerabilities. It would mean the mere act of looking creates vulnerabilities.
--- David A. Wheeler
ines (like Google's) to find it.
In addition, adding more text in the detailed description to explain
alternative terms might
also help when searching.
--- David A. Wheeler
bly a
loop over 1 value (which is a little odd, but not insane and
such a construct is less likely to be an error).
I doubt such a construct often leads to a vulnerability.
It seems like the sort of thing likely to be detected in practically any
testing, since it's deterministic & doesn't depend on
