Weak SSL/TLS Cipher Suites / Protocols Enabled

High Severity Technical Guide

Vulnerability Description

Allowing legacy SSL/TLS protocols (SSLv3, TLS 1.0, TLS 1.1) or weak cipher suites (like those using RC4, 3DES, or anonymous DH) makes HTTPS sessions vulnerable to decryption and man-in-the-middle (MITM) attacks. Modern standards require TLS 1.2 or TLS 1.3 with AEAD ciphers.

Remediation Guide

To resolve this vulnerability, follow these config changes or developer practices:

Restrict supported protocols to TLS 1.2 and TLS 1.3, and disable all weak ciphers. Example configuration for Nginx:

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;

Verify Your Fix

After applying the remediation, run an external attack-surface scan to verify that the vulnerability is no longer detected by WebScanify.

Is your website vulnerable?

Run a free security scan now to identify missing headers, outdated JS, and other deployment vulnerabilities.

Weak SSL/TLS Cipher Suites / Protocols Enabled

Vulnerability Description

Remediation Guide

Verify Your Fix

Share this Guide

Is your website vulnerable?