MJB2011
asked on
Disabling weak ciphers - impact on browsers
HI all,
Im currently workign on a project on tightening security on our webservers. First step on this is disabling weak Ciphers that are still currently enabled. Im aware of the list of known weak ciphers, but im wondering if Im to disable these, what the impact be on the browsers connecting in?
We will disable SSLv3.
TLS 1.1 - Not sure what impact this will have?
Weak SHA - RC4 MD5
Is anyone aware of a list browser versions that maybe impacted?
Im currently workign on a project on tightening security on our webservers. First step on this is disabling weak Ciphers that are still currently enabled. Im aware of the list of known weak ciphers, but im wondering if Im to disable these, what the impact be on the browsers connecting in?
We will disable SSLv3.
TLS 1.1 - Not sure what impact this will have?
Weak SHA - RC4 MD5
Is anyone aware of a list browser versions that maybe impacted?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Dan M
"Before doing so, I would verify that no sites require any if the older protocols or ciphers."
While this is my point. I cannot control the browsers that connect our web servers. If I disable SSL v2 & 3 i may prevent them working. THen again you cant keep an insecure website for those who choose to run unsupported browsers.
"Before doing so, I would verify that no sites require any if the older protocols or ciphers."
While this is my point. I cannot control the browsers that connect our web servers. If I disable SSL v2 & 3 i may prevent them working. THen again you cant keep an insecure website for those who choose to run unsupported browsers.
Actually to see effect of browser on the hardened website, the earlier mentioned
https://www.ssllabs.com/ is good as it listed out the various browser version that can and cannot browse the site smoothly. Worthing it out, you may use other
https://www.ssllabs.com/ is good as it listed out the various browser version that can and cannot browse the site smoothly. Worthing it out, you may use other
You cannot keep old protocols working solely because you're worried about a subset of browsers. Is it worth the security risk on your side? I don't know the data your systems are holding, but even PCI has required companies to move to at least TLS 1.1. As has been pointed out, most recent browsers support TLS anyway. Honestly, I'd be more worried about the server product supporting TLS than I would be about the clients since they mostly have that already built in anyway.
Have a goodbsummary of tle support by various browser and version. It is still best for tls1.2 for the public facing Internet system. You may give leeways in intranet but conpliance will drive you towards tls1.2 still.
https://en.m.wikipedia.org/wiki/Transport_Layer_Security#Cipher
As example, IE uses the TLS implementation of the Microsoft Windows operating system provided by the SChannel security support provider. TLS 1.1 and 1.2 are disabled by default until IE11.
https://en.m.wikipedia.org/wiki/Transport_Layer_Security#Cipher
As example, IE uses the TLS implementation of the Microsoft Windows operating system provided by the SChannel security support provider. TLS 1.1 and 1.2 are disabled by default until IE11.
TLS 1.0 is 18 years old. Should have been disabled 9 years ago when TLS 1.2 came out.
TLS 1.1 is 11 years old. Why are people even bothering to keep this around? It should have been disabled 5-6 years ago. TLS 1.2 came out 9 years ago, plenty of time to update everything by now.
Why do people wait until an actual attack before disabling ancient protocols? SSLv2 and SSLv3 remained available until attacks. That was just stupid. Modern Browsers already support TLS 1.2. IE is no longer modern.
I've only have enabled TLS 1.2 for most sites I've supported and will only keep that for a year or 2 after TLS 1.3 is finally released.
TLS 1.1 is 11 years old. Why are people even bothering to keep this around? It should have been disabled 5-6 years ago. TLS 1.2 came out 9 years ago, plenty of time to update everything by now.
Why do people wait until an actual attack before disabling ancient protocols? SSLv2 and SSLv3 remained available until attacks. That was just stupid. Modern Browsers already support TLS 1.2. IE is no longer modern.
I've only have enabled TLS 1.2 for most sites I've supported and will only keep that for a year or 2 after TLS 1.3 is finally released.
Here is a link to a list of browsers that support TLS v1.2.
Link: https://qsportal.atlassian.net/wiki/plugins/servlet/mobile?contentId=3571715#content/view/3571715
I have used the utilities mentioned above to improve my web server's (and client servers) security. I have not had browser issues with SSL or TLS reconfigurations on either the client or server sides, in the last 5 years or so.
I highly recommend using IISCrypto to disable old ciphers.
Before doing so, I would verify that no sites require any if the older protocols or ciphers.
Dan