Short answer
RC4 has statistical weaknesses that let an attacker recover plaintext; 3DES is vulnerable to the SWEET32 collision attack because of its small 64-bit block size; CBC suites in TLS 1.0/1.1 were hit by BEAST and POODLE; and export ciphers (with deliberately weakened keys) enabled FREAK and Logjam. All should be removed entirely — not kept as a fallback. Use AEAD ciphers instead (AES-GCM, ChaCha20-Poly1305).
RC4 — recoverable plaintext
RC4 is a stream cipher with statistical biases: certain bytes in the keystream are slightly more likely than others. With enough recorded sessions of the same plaintext (e.g. a session cookie sent over and over), an attacker can statistically recover it. It was once a recommended cure for BEAST — a bitter irony, since it turned out to be worse. RC4 is now banned in all modern TLS configurations.
3DES — SWEET32 and 64-bit blocks
3DES encrypts in 64-bit blocks. That sounds harmless, but it means that after roughly 32 GB of data on the same key it becomes statistically likely that two blocks collide — and a collision leaks information about the plaintext. The SWEET32 attack exploits exactly this against long-lived connections. Modern ciphers such as AES use 128-bit blocks, where the limit sits astronomically high.
CBC suites — BEAST and POODLE
CBC (Cipher Block Chaining) is an encryption mode, not a cipher in itself, but CBC suites in TLS 1.0/1.1 had a predictable initialisation vector (BEAST) and were vulnerable to padding oracle attacks (POODLE in SSL 3.0). The problem is structural: CBC separates encryption and authentication, which opens the door to tampering. AEAD ciphers solve it by combining the two. CBC suites in TLS 1.2 are not as bad, but there is no reason to keep them when AEAD is available.
Export ciphers — FREAK and Logjam
In the 1990s US export law required deliberately weakened "export grade" ciphers with 512-bit RSA or DH. They were never fully removed from libraries, and in 2015 FREAK and Logjam showed that an attacker could force a server down to the weak keys and break them in hours. The lesson: a weak cipher merely sitting in the configuration as an option is an active risk, not a dormant one.
The attacks at a glance
| Attack | Affects | Problem |
|---|---|---|
| SWEET32 | 3DES, Blowfish | 64-bit block collision |
| BEAST | CBC in TLS 1.0 | Predictable IV |
| POODLE | CBC in SSL 3.0 | Padding oracle |
| FREAK / Logjam | Export RSA/DH | Forced weak key |
| RC4 bias | RC4 | Statistical plaintext leak |
Find them on your server
# Lists all accepted suites with a grade — look for RC4/3DES/CBC/EXPORT nmap --script ssl-enum-ciphers -p 443 example.com # testssl checks specifically for the named vulnerabilities testssl.sh --vulnerable example.com
If you see RC4, 3DES, DES-CBC3, EXP- or any suite without ECDHE and without GCM/POLY1305, there is something to remove. The full testing arsenal is in how to test your TLS ciphers.
How to remove them
# nginx — explicitly exclude the old ones (or use Mozilla intermediate) ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5:!RC4:!3DES:!DES:!EXPORT:!eNULL:!CBC; ssl_prefer_server_ciphers off;
The cleanest solution is not to block individually but to allow-list the good list — see the best TLS cipher suites. Remember to also disable TLS 1.0 and 1.1, since many of the attacks are tied to the old protocols.
Why it is hard to keep clean
The real challenge is not removing a weak cipher once — it is keeping it from creeping back. A rebuilt image with an old OpenSSL default, a new load balancer, a copied legacy config: suddenly one server offers 3DES again. CertControl scans all your endpoints continuously and raises a finding with severity the moment an outdated cipher or protocol reappears — so you catch the regression at the next scan, not at the next penetration test. Understand what the names mean in what is a cipher suite.
Frequently asked questions
Is it dangerous to keep weak ciphers "just as a fallback"?
Yes. FREAK and Logjam showed an attacker can force a connection down to the weakest offered cipher. A weak suite in the configuration is therefore an active risk to all clients, not just the old ones that might use it.
Why is 3DES vulnerable if the algorithm itself is not broken?
The problem is not key strength but block size. 3DES uses 64-bit blocks, and after around 32 GB on the same key, block collisions become likely — that is what SWEET32 exploits. AES's 128-bit blocks do not have that limit in practice.
Are all CBC suites dangerous?
CBC in SSL 3.0 and TLS 1.0/1.1 was hit by BEAST and POODLE. CBC in TLS 1.2 is less bad, but there is no reason to keep it when AEAD ciphers (GCM, ChaCha20-Poly1305) are available and better in every way.
What is an export cipher?
A deliberately weakened cipher from the 1990s with short keys (e.g. 512-bit RSA), originally required by US export law. They are trivially breakable today and must be removed entirely.
How do I know if my servers still offer them?
Scan them with nmap ssl-enum-ciphers or testssl.sh, or use continuous scanning that automatically raises a finding when an outdated cipher appears — including on the servers you have forgotten.