TLS_RSA_WITH_AES_128_CBC_SHA
TLS 1.0, TLS 1.1, TLS 1.2 | WEAK - Multiple Vulnerabilities Not Recommended
Cipher Suite Details
TLS_RSA_WITH_AES_128_CBC_SHA0x002F47What is TLS_RSA_WITH_AES_128_CBC_SHA?
TLS_RSA_WITH_AES_128_CBC_SHA is one of the oldest widely supported cipher suites, using static RSA key exchange, AES-128 in CBC mode, and SHA-1 for HMAC. This cipher suite suffers from multiple serious vulnerabilities: 1) No forward secrecy (static RSA), 2) CBC mode is vulnerable to padding oracle attacks (POODLE, Lucky 13, BEAST), 3) SHA-1 is cryptographically broken for collision resistance. This cipher suite is deprecated and should NEVER be used. It remains in browsers only for compatibility with ancient servers (pre-2008). PCI-DSS explicitly prohibits CBC cipher suites.
Role in JA3 Fingerprinting
The TLS_RSA_WITH_AES_128_CBC_SHA cipher suite is part of the TLS Client Hello that JA3 analyzes. Cipher suite order and selection are key indicators of browser type and version.
JA3 Format: TLS_VERSION,CIPHERS,EXTENSIONS,CURVES,POINT_FORMATS
Different browsers prioritize different cipher suites (Chrome prefers ChaCha20 on mobile, Firefox prioritizes AES-GCM, etc.), making cipher suite ordering a reliable fingerprint.
Test Your Cipher Suites
See which cipher suites your browser advertises, including TLS_RSA_WITH_AES_128_CBC_SHA.