high SSL/TLS

Weak TLS Cipher Suite

The server negotiates weak TLS cipher suites (RC4, 3DES, CBC, NULL, EXPORT) that are vulnerable to known attacks.

Severity
high
Time to Fix
30 minutes
Difficulty
medium
OWASP
A02:2021 — Cryptographic Failures

What is Weak TLS Cipher Suite?

TLS cipher suites determine how the browser and server encrypt their communication. Weak ciphers like RC4 (broken since 2015), 3DES (Sweet32 attack), CBC mode (Lucky13 padding oracle), and NULL/EXPORT ciphers can be broken by attackers to decrypt traffic. Modern sites should only use AEAD ciphers like AES-GCM and ChaCha20-Poly1305.

Why It Matters to Your Business

Weak TLS ciphers allow attackers to decrypt HTTPS traffic, exposing credentials, payment data, and personal information. RC4 can be broken in hours; 3DES in days with traffic capture. Regulatory frameworks (PCI DSS, HIPAA) explicitly require strong ciphers.

How to Fix It

Disable weak ciphers in your web server config:

Nginx:
  ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
  ssl_prefer_server_ciphers off;

Apache:
  SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...
  SSLHonorCipherOrder off

Disable TLS 1.0 and 1.1 (deprecated since 2020):
  Nginx: ssl_protocols TLSv1.2 TLSv1.3;
  Apache: SSLProtocol -all +TLSv1.2 +TLSv1.3

Technical Classification

OWASP CategoryA02:2021 — Cryptographic Failures
CWE IDCWE-327: Use of a Broken or Risky Cryptographic Algorithm
Detected Byssl, tls_cipher scanner(s)
Severity Levelhigh

Check if your website has this vulnerability

Our ssl, tls_cipher scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities