Running regular security scans on your network is critical to security administration. As exemplified in Section 41.0, Security Policies, security is a top priority for the Vibe development team.
Occasionally, reputable security scanning software reports risks that the Vibe team considers to be less significant than reported. The following are specific examples:
PHP as a Security Vulnerability: Although in many cases the presence of PHP scripts is a legitimate concern, in the case of Vibe, there is no PHP access without first authenticating through port 9443. Since access through port 9443 is secure by definition, Vibe’s PHP implementation is secure.
Diffie-Hellman 1024 Keys:
If you run a Nessus or equivalent security scan, you might receive a report of Medium Risk
associated with Diffie-Hellman 1024-bit keys.
The Vibe team is aware of this and is considering increasing the key size in a future release. At this time, however, the team does not feel that this is a significant threat to Vibe installations; breaking 1024-bit keys requires computing resources that only a nation-state would have at its disposal.
If you are concerned or feel that your organization might be vulnerable to nation-state attacks, you can specify a stronger key through the Java security policy.