VULN-DISCLOSURE-POLICY: use of weak algos

Not necessarily security problems.

Closes #17220
This commit is contained in:
Daniel Stenberg 2025-04-29 11:10:19 +02:00
parent 2fa3d528ae
commit 9f57c2ea95
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
3 changed files with 12 additions and 2 deletions

View file

@ -176,6 +176,7 @@ DELE
DER
dereference
dereferences
DES
deselectable
deserialization
Deserialized

View file

@ -337,3 +337,13 @@ A *legacy dependency* is here defined as:
- there are modern versions of equivalent or better functionality offered and
in common use
## weak algorithms required for functionality
curl supports several algorithms that are considered weak, like DES and MD5.
These algorithms are still not curl security vulnerabilities or security
problems as they are only used when the users explicitly ask for their use by
using the protocols or options that require the use of those algorithms.
When servers upgrade to use secure alternatives, curl users should use those
options/protocols.

View file

@ -80,8 +80,7 @@ HTTP NTLM authentication. A proprietary protocol invented and used by
Microsoft. It uses a challenge-response and hash concept similar to Digest, to
prevent the password from being eavesdropped.
You need to build libcurl with either OpenSSL or GnuTLS support for this
option to work, or build libcurl on Windows with SSPI support.
NTLM uses weak cryptographic algorithms and is not considered secure.
## CURLAUTH_NTLM_WB