Weak or suboptimal cipher suites supported

What this means

Weak or suboptimal cipher suites are cryptographic algorithms that are less secure due to known vulnerabilities or weaknesses.

If a server supports such cipher suites, it may expose connections to potential attacks and interception.

Why this is a problem

Suboptimal ciphers may provide inadequate encryption, making it easier for attackers to decrypt data.

Weak cipher suites allows attackers to exploit them through downgrade attacks or cryptographic weaknesses, this can result in sensitive data being leaked or for attackers to redirect users to malicious sites.

Using suboptimal ciphers can result in non-compliance with security standards like PCI-DSS and HIPAA, and can also undermine confidence in webpages and in some cases may cause accessibility problems.

How to check if the problem is there

Check the webserver’s SSL/TLS configuration for suboptimal cipher suites (e.g., 3DES, RC4, MD5-based ciphers).

There are a number of online tools such as Qualys SSL Labs which can be used to check what cipher suites and protocols are enabled on a website.

How to fix this

Remove support for suboptimal cipher suites in the server’s SSL/TLS configuration.

Ensure that strong cipher suites are preferred where possible.

Disable outdated protocols such as TLS 1.0 and TLS 1.1 and ensure the server uses TLS 1.2 and TLS 1.3.

Keep updated SSL/TLS libraries and server software to support the latest and most secure cipher suites, and ensure that these are enabled.

Periodically test the server’s SSL/TLS configuration using automated tools to ensure compliance with security best practices.

Further information

A list of ciphers and protocols which provide strict security whilst maintaining good compatibility are published by Microsoft under the profile name of 20220101S.

Consider aligning your configuration to these recommendations which provide a good blend of security and compatibility.