This article aims to clarify why Okta uses weak ciphers, such as Cipher Block Chaining (CBC).
- Transport Layer Security (TLS) 1.2
- Penetration Testing
- Cipher Suite
Okta does not modify its TLS 1.2 cipher suite by removing any ciphers labeled as "weak", given the varying compatibility needs of its customers. Note that "weak" does not mean insecure. Cipher suites marked as "weak" by testing tools are still commonly used by web clients, and are not known to be exploitable. If a cipher suite is known to be exploitable, it will be marked as "insecure" instead of "weak". Additionally, while any enabled cipher suite could be used in an attack, forcing the use of a "weak" cipher suite would require the attacker to compromise the endpoint or mount an adversary-in-the-middle attack, both of which can be detected and prevented with endpoint protection tools.
As a multi-tenant service, Okta does not currently allow customers to customize the TLS cipher suite. The Okta service always prefers the strongest TLS cipher that supports perfect forward secrecy, but currently allows the use of other ciphers to accommodate the compatibility needs of specific customers.
