CWE-326 Inadequate Encryption Strength
What this means
SiteShadow flagged encryption settings that appear too weak (deprecated algorithms, weak key sizes, insecure modes, or legacy protocol versions that undermine confidentiality/integrity).
Why it matters
Weak encryption can be brute-forced or bypassed.
- Confidentiality loss: attackers can recover plaintext if encryption is breakable.
- Tampering risk: non-authenticated encryption allows undetected modifications.
- Long-term exposure: weak crypto might be "fine today" but breaks later, exposing stored data.
Safer examples
1) Use modern, authenticated encryption (AEAD)
Prefer AES-256-GCM or ChaCha20-Poly1305 via well-maintained libraries.
2) Avoid deprecated algorithms and modes
Avoid DES/3DES/RC4, and avoid AES-CBC without a secure MAC/AEAD construction.
3) Use safe key management
Generate keys with CSPRNGs, rotate keys, and store them in a secret manager/KMS (see S01 / CWE-321).
How SiteShadow detects it (high level)
- Detects use of known-weak algorithms/modes and insecure key sizes.
- Flags crypto configuration that enables legacy protocol versions or weak cipher suites.
References
- CWE-326: https://cwe.mitre.org/data/definitions/326.html
---