| While theoretically secure, CBC ciphers are considered weak because of their implementation. They are more often than not vulnerable to padding oracle attacks. These issues have been around for more than a decade, but they keep popping up. The last 3-ish years a larger push has been made to disable CBC ciphers (in SSL/TLS, SSH, etc.). See [0, 1, 2, 3, and 4] for more information. GCM/CTR is considered to be a more secure alternative. [0]: https://en.wikipedia.org/wiki/Padding_oracle_attack#Padding_... [1]: https://www.openssh.com/txt/cbc.adv [2]: https://ieeexplore.ieee.org/document/5207634 (is CPNI-957037) [3]: https://alicegg.tech/2019/06/23/aes-cbc.html [4]: https://docs.microsoft.com/en-us/dotnet/standard/security/vu... [n]: You can find more information with a quick search, this also includes security advisories from HPE, RedHat, IBM, and F5. |