Disable Weak TLS Cipher Suites (CBC-mode Ciphers) in Managed Commerce Environments
As part of a recent internal and third-party security assessment (conducted by Optiv Security), our organization identified that our Optimizely Configured Commerce production environment (www.whitecap.com) currently supports weak TLS cipher suites, including CBC-mode ciphers.
These ciphers are considered outdated and potentially vulnerable to known cryptographic attacks (e.g., Lucky 13 and BEAST). Security best practices and compliance frameworks (such as PCI DSS, NIST SP 800-52r2, and OWASP guidelines) recommend disabling weak or deprecated cipher suites and enforcing stronger ones such as AES-GCM or CHACHA20_POLY1305 with TLS 1.2+ only.
During our support engagement (Ticket #1789304), the SRE team confirmed that removing weak ciphers is not currently supported within the managed Optimizely infrastructure. We request that Optimizely provide customers with the ability to:
Disable weak cipher suites (especially CBC-mode ciphers) at the environment level.
Enforce modern cipher configurations (AES-GCM or CHACHA20_POLY1305).
Optionally, provide visibility into the active cipher suite list for validation and audit purposes.
Anonymous
shared this idea
We acknowledge that security scanners do flag these cipher suites as weak, and they are not disabled. However, cipher configuration for Configured Commerce is managed globally through Cloudflare, and we are not able to disable these ciphers on behalf of customers; our approach is to rely on Cloudflare to proactively remove or deprecate cipher suites when publicly known vulnerabilities are discovered in them. In the event that one of these ciphers becomes a high-severity risk, Cloudflare would take action at the platform level, which would apply across all customers.
