Weak Cipher Suites

TLS 1.2 supports over 300 cipher suites. Many are cryptographically broken. Servers that negotiate CBC-mode cipher suites without explicit padding validation are vulnerable to POODLE and BEAST attacks. Export cipher suites (EXPORT40, EXPORT56) are broken by design. RC4 ciphers are statistically breakable. NULL cipher suites provide authentication without encryption β€” the equivalent of no TLS at all.

The practical issue is that legacy servers β€” particularly appliances, embedded devices, and old Java applications β€” often enable weak suites because old clients (similarly embedded or legacy) require them. Security teams disable these suites in their web servers but miss the API gateways, monitoring endpoints, and internal services that were configured years ago and never revisited.

# Recommended TLS 1.2 cipher suite allowlist (OpenSSL notation) # ECDHE provides forward secrecy; GCM/CHACHA20 are AEAD ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 # Suites to explicitly disable # !RC4 !3DES !DES !MD5 !EXPORT !NULL !aNULL !eNULL !PSK !SRP !DSS

The absence of forward secrecy (non-ECDHE suites) is particularly serious for long-term security. Without forward secrecy, an attacker who records encrypted TLS traffic today can decrypt it in the future if they later obtain the server's private key β€” a stored-ciphertext-now, decrypt-later threat that parallels quantum computing concerns.

TLS Version and Protocol Downgrade

TLS 1.0 and 1.1 are formally deprecated (RFC 8996). They have known structural weaknesses (BEAST, POODLE, CRIME for 1.0; various cipher restrictions for 1.1) and should not be supported. PCI DSS 4.0 requires TLS 1.2 as the minimum. Many organisations have disabled TLS 1.0/1.1 on public endpoints but not on internal services and APIs.

TLS downgrade attacks exploit protocol negotiation to force a client and server to agree on an older, weaker version. POODLE exploited this against SSL 3.0. The DROWN attack exploited TLS servers that simultaneously supported SSLv2 β€” a connection that negotiates TLS 1.2 can be attacked using the SSLv2 oracle on the same server. Disabling older protocol versions on all interfaces of a server is required β€” partial deprecation (public yes, internal no) leaves the oracle available.

Certificate Validation Bugs in Client Code

The most common TLS failure in application code is not a weak cipher β€” it is disabled or incomplete certificate validation. Developers encountering TLS errors in development or testing commonly add code to suppress validation, which then ships to production.

In Python requests: verify=False. In curl: -k. In Java: a custom TrustManager that overrides checkServerTrusted() with a no-op. In Go: InsecureSkipVerify: true. These are easy to grep for and they represent complete bypasses of certificate authentication β€” the "S" in HTTPS is still present in name, but TLS provides no authentication guarantee. Man-in-the-middle attacks are trivially possible.

Beyond outright disabling: validating that the certificate belongs to the expected hostname is distinct from validating that the certificate chain is valid. A custom certificate validator that only checks the chain but not the hostname allows an attacker with any valid certificate to intercept connections to your service.

Certificate Pinning: Where It Helps and Where It Breaks

Certificate pinning stores the expected public key or certificate fingerprint in the client application. At connection time, the client verifies that the server's certificate matches the pinned value β€” rejecting any certificate, even one signed by a trusted CA, that does not match.

This protects against CA compromise (a malicious or hacked CA issuing a fraudulent certificate for your domain) and against nation-state MITM using locally-trusted enterprise CAs. It is valuable for mobile banking apps, financial APIs, and government applications where the risk of CA compromise is real.

The failure mode is operational: a pinned certificate expires or is rotated, the old pin is in a shipped application binary, and users cannot connect until they update the app. This has caused production outages at major organisations. The mitigation is to pin the issuing CA's public key (rather than the leaf certificate), maintain a backup pin for the next certificate in the rotation, and implement a graceful fallback that alerts the security team while allowing traffic during a pin mismatch window.

HPKP is dead: HTTP Public Key Pinning (HPKP) was a browser-based pinning mechanism that was deprecated and removed from Chrome in 2018 and Firefox in 2020. A misconfigured HPKP header could permanently lock users out of a site. If you are still referencing HPKP in your configuration, remove it β€” it has no effect and the header itself can indicate outdated security configuration.

mTLS Misconfigurations

Mutual TLS (mTLS) adds client certificate authentication β€” the server verifies the client's identity using a certificate, not just credentials. It is widely used in service mesh (Istio, Linkerd), internal APIs, and zero-trust architectures. Misconfigurations are common because mTLS has two distinct validation requirements: the server validates the client certificate, and the client validates the server certificate.

Common mTLS failures: the server is configured to request but not require a client certificate (ssl_verify_client optional in nginx rather than on), meaning a request without a client certificate is accepted; the server validates the certificate chain but not the client's identity within the certificate (the Common Name or SAN is not checked against an allowlist); client certificates are long-lived without rotation, making compromised certs valid indefinitely; or the service mesh mTLS is configured correctly but the workload also accepts plaintext connections on a different port that bypasses the mesh.

TLS Inspection Risks

Enterprise TLS inspection proxies (Zscaler, Palo Alto, Blue Coat) terminate TLS connections, inspect the decrypted content, and re-encrypt with a locally-trusted certificate. This fundamentally breaks end-to-end encryption β€” the proxy sees all traffic in cleartext. The risks:

  • Downgraded cipher suites: Inspection proxies often re-encrypt with weaker cipher suites than the original server would have negotiated, reducing the security of the outbound connection.
  • Certificate validation quality: Some proxies perform less rigorous certificate validation than browsers, potentially allowing connections to servers with invalid certificates that the browser would have blocked.
  • Proxy itself as an attack target: A compromised inspection proxy has access to all decrypted traffic. It is a high-value target with broad network access.
  • Privacy of sensitive communications: Employee communications with banks, medical providers, and legal counsel are decrypted by employer proxies. This creates liability and compliance issues in many jurisdictions.

Auditing Your TLS Configuration

For public endpoints, SSL Labs' server test provides a comprehensive audit including protocol versions, cipher suites, certificate chain, HSTS, and known vulnerabilities. For internal endpoints and APIs, testssl.sh is the standard tool β€” it works against any TCP endpoint without requiring a browser.

Key checks to automate in CI/CD: certificate expiry (alert at 30 days, fail at 7), minimum TLS version enforcement, absence of deprecated cipher suites, HSTS header presence and max-age, and CAA DNS record verification (prevents unauthorized CA issuance for your domain).

Certificate Transparency: All publicly-trusted certificates are now logged in Certificate Transparency (CT) logs. Monitor CT logs for unexpected certificates issued for your domains using crt.sh or a commercial service. A certificate you did not issue for your domain is an indicator of either a CA error or an active attack.