For easier reading and further commenting check here: https://security.stackexchange.com/...-exploitable-chrome-bundled-tls-mitm-backdoor Steps to reproduce the problem: Run Chrome with command line parameter: --cipher-suite-blacklist=0x9c,0x9d,0x2f,0x35,0xa or 0x000a,0x0009c,0x0009d,0x0002f,0x00035 or both together... then check out https://www.ssllabs.com/ssltest/viewMyClient.html Using the latest Chrome stable & Chrome beta the only cipher that can be disabled with --cipher-suite-blacklist= is 0xa, aka TLS_RSA_WITH_3DES_EDE_CBC_SHA, though as of late it must be renamed to 0x000a in order for the block to take place. What is the expected behavior? All weak ciphers should be disabled What went wrong? Chrome TLS is now less secure than ever. While 3DES_EDE is successfully disabled with "--cipher-suite-blacklist=" These cannot be disabled no matter what string you use: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256 TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256 These ciphers are vulnerable to attacks via MITM... merely replace the cipher order in the hello packet with chromes weakest and boom, your a goner: February 9, 2019: "Seven researchers from all over the world found --yet again-- another way to break RSA PKCS#1 v1.5, the most common RSA configuration used to encrypt TLS connections nowadays. Besides TLS, this new Bleichenbacher attack also works against Google's new QUIC encryption protocol as well." https://www.zdnet.com/article/new-tls-encryption-busting-attack-also-impacts-the-newer-tls-1-3/ Feburary 8 2019: "Craig Young, a computer security researcher for Tripwire's Vulnerability and Exposure Research Team, found vulnerabilities in SSL 3.0's successor, TLS 1.2, that allow for attacks akin to POODLE due to TLS 1.2's continued support for a long-outdated cryptographic method: cipher block-chaining (CBC). The flaws allow man-in-the-middle (MitM) attacks on a user's encrypted Web and VPN sessions." Source: https://www.darkreading.com/vulnera...odle-attack-bred-from-tls-flaw/d/d-id/1333815 Chrome developers have been abhorrent when it comes to cipher security. Users have been asking for 9 years for group policy and options to order and enable/disable ciphers and ECC. Nothing like this has been implemented, in fact they have now impaired our ability to turn off exploitable ciphers so chrome developers basically have implemented a defacto backdoor you cannot disable, leaving everybody is at risk. Anybody know how to disable this backdoor?