Will It Vibe logoWill It Vibe?
CSHARP-008High severity-15 points

Legacy weak symmetric cipher provider instantiated

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

DESCryptoServiceProvider, TripleDESCryptoServiceProvider, and RC2CryptoServiceProvider implement ciphers that are brute-forceable (DES, RC2) or retired (3DES) by modern standards and should not be used for new encryption.

Why it matters

DESCryptoServiceProvider (56-bit DES), TripleDESCryptoServiceProvider (retired 3DES), and RC2CryptoServiceProvider (weak, small-block RC2) are all cryptographically broken or obsolete by current standards. Data encrypted with any of them can be decrypted with realistic amounts of compute, so anything protected this way should be treated as effectively unencrypted against a motivated attacker.

How to fix it

Replace the legacy provider with Aes.Create() (AES-GCM via AesGcm on .NET Core 3.0+, or AES-CBC with an HMAC if you need broader compatibility). AES with a 256-bit key and an authenticated mode is the standard modern choice for symmetric encryption in .NET and requires re-encrypting any data that was protected with the old cipher.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks