During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following
should be disabled to mitigate this risk? (Choose two.)
TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any systems
running these ciphers should have them disabled.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols
designed to provide communications security over a computer network. They use X.509 certificates and hence
asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange
a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for
data/message confidentiality, and message authentication codes for message integrity and as a by-product,
Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious
security flaws in the protocol; version 2.0, released in February 1995, “contained a number of security flaws
which ultimately led to the design of SSL version 3.0”.
TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the
RFC, “the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to
preclude interoperability between TLS 1.0 and SSL 3.0″. TLS 1.0 does include a means by which a TLS
implementation can downgrade the connection to SSL 3.0, thus weakening security.
TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0.