Tech Click

← all labs

TLS Cipher Audit — Find the Weak Suite

Medium TLS · 30 min

Flag submissions require login via tc_sso. Reading instructions does not.

TLS Cipher Audit

Scenario

You ran nmap --script ssl-enum-ciphers -p 443 acme.example against the customer's edge. The right pane shows the result. One cipher suite is widely considered insecure (deprecated by PCI-DSS v4.0 and RFC 7457). Identify it.

Objective

Name the exact insecure cipher suite (OpenSSL/RFC name format).

Answer format

Submit the full suite name, uppercase, hyphens preserved:

TLS_RSA_WITH_3DES_EDE_CBC_SHA

(Example shape — not necessarily the answer.)

Tips

  • TLS 1.2+ suites are listed first. The weak one might be in 1.0/1.1.
  • "Weak" means any of: NULL cipher, EXPORT-grade, RC4, DES, 3DES, MD5, anonymous DH, or no forward secrecy.

Hints

Hint 1 (−10 pts)

Scan each cipher suite for these red-flag keywords: RC4, 3DES, DES, MD5, EXPORT, NULL, anon. Any one of these = fail PCI-DSS v4.

Hint 2 (−10 pts)

In the right pane, find a suite containing the substring 3DES. That's it.

Hint 3 (−10 pts)

Answer: TLS_RSA_WITH_3DES_EDE_CBC_SHA

Lab environment · sandboxed iframe · auto-resets every 60 min