Allowing both 40 bit and 128 bit SSL on IIS7

Posted on 2009-07-01
Last Modified: 2012-05-07
This may sound like a dumb question but I'm confused and done a lot of googling so it's time to ask the "experts".   I'm configuring IIS7 for SSL and have purchased an SSL certificate with a key length of 2048 bits.    I want to accept both SSL and regular http (non-SSL) traffic so I have NOT checked the IIS config box of "require SSL".   So far I can accept both encrypted and non-encrypted connections as desired.   Also I want to accept both 40 bit and 128 bit client encryption to insure compatibility with older browsers (we're a library).   But I can't find any way to enable 40 bit encryption in the IIS configuration.    Do I need a separate certificate for 40 bit?   I assumed the one SSL certificate would handle all desired encryption strengths but in my one test of an old IE 40 bit only browser, it would not connect.  I'm hoping this is just a configuration change in IIS.    Thanks.    
Question by:gsee011198
  • 2
  • 2
LVL 31

Expert Comment

ID: 24763283
Three things on this:

1) 40 bit encryption is enabled by default.  As long as you don't force 128 bit usage or chop out the lower algorithms from the registry you're fine.  Lower-than-128-bit browsers will negotiate the server down until they find the best they can do.

2) All browsers have been 128 bit for almost a decade now.  Does your library have 3rd party rules to adhere to that states you must have 40 bit?  40 bit sessios can be hacked in a short enough period of time that the session can be realistically compromised.  It is not considered secure.  Actually, due to privacy concerns, the current trend is to not allow for SSL version 2 or SSL algorithms lower than 128 bit.

3) You might instead consider looking at an "SGC" (Server Gated Cryptography) certificate, sometimes also referred to as a 'step-up' certificate.  Basically, it allows non-128 bit browsers to step up to support the 128 bit algrorithm that the server prefers.  This is also now being used to step-up 128 bit browsers to 256 bit sessions in cases where the server can support that.  I won't go into details on how this works, but this is probably your best option to actually protect the security of your customers.

Having a 2048 cert is a good thing to protect the integrity of the private key.  Your 2048 certificate is probably not an SGC cert - these cost a bit more and not all vendors offer them, but plenty do.  I think GoDaddy does, I know Comodo and Verisign do.  Also, consider the privacy concerns about not forcing SSL on certain sensitive pages, like logon pages and pages that contain PII.  This can be specified per page in IIS or a number of other methods like in a host header and are well documented.

Author Comment

ID: 24765747
Thanks Paranormastic for the detailed response.     The web available data from our library is only name and address plus books checked out -- nothing financial so that's why we are not overly concerned about encryption level.    One question -- when a library tested with an old version of IE5.0 with only 40 bit encryption, it could not connect.   As soon as they upgraded to an old IE with 128 bit encryption, they could connect.   This lead me to think that we could not accept 40 bit connection requests  -- do you have any additional ideas on this?   From what you said, it seems that our new cert should handle both 40 bit and 128 bit by default.

Thanks again Paranormastic.
LVL 31

Accepted Solution

Paranormastic earned 250 total points
ID: 24818033
Does this also include their password?  That would be my main concern.  Name and address is public information (it's in the phone book) so wouldn't be a main concern, and tying that in with a book I don't think would change the level to become PII.  The password is a different story as most users tend to use the same password (or a couple passwords) for all the sites that require them.

Also double check the browser was set to support SSL v3.0 and not just SSL v2.0.  SSL v2.0 is disabled by default in 2008.  Enabling support for v2 would be bad - it has been considered invalid for many years now - v3 has been around for over 10 years but I forget offhand if it was actually enabled by default.

Either way, I highly recommend the SGC cert instead of a normal SSL cert if this is a concern - most vendors offer them you just might not see them as a front page ad.  It truly is the best solution.

Author Closing Comment

ID: 31599062
Other related issues make this hard to solve cleanly.    Paranormastic gave a thorough and logical answer.

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Today I came across an interesting issue that had me pulling my hair out.  I was troubleshooting a new internal web site which uses integrated security instead of anonymous.  When browsing the site from my laptop, I was able to access it with no iss…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question