3224247 - Cybersecurity Risk - DiffieHellman prime is very commonly used and is not safe - Recruiting Marketing

Penetration testing and BitSight reports a cybersecurity risk "Diffie-Hellman prime is very commonly used and is not safe".

SAP SuccessFactors Recruiting Marketing

After a thorough investigation, SF Service Security confirmed that the reported finding is a false positive.

Our career site URLs receive A+ ratings via the Qualys SSL Labs test report, which also confirms our proper DH configuration. We implement DH properly/securely - no common primes and no re-use.

We tried testing different configurations as per the customer’s finding report, but even when we used custom parameters / larger bit sizes, the false warning remained.  This indicates the tool customers are using may not be testing accurately and may be adding the warning based solely on the presence of DH when no actual problem exists. 

We have found that this is not a true vulnerability, these are faulty tests providing false positives (e.g. Cryptosense or BitSight scan tests), and our SSL Labs rating confirms this (SSL Server Test: https://www.ssllabs.com/ssltest/). No configuration is to be changed on our end.

rmk, career site, recruiting marketing, Diffie-Hellmann, DiffieHellmann, DiffieHelmann, security, cybersecurity risk, BitSight, Cryptosense, SSL Labs , KBA , LOD-SF-RMK-SEC , Security & Vulnerabilities , Problem