April 14, 2014 at 9:08 am
After revamping my Firefox cipher suite list (about:config, search for tls and then search for ssl) and adding Calomel SSL Validation, HTTPS Everywhere (from eff.org), CipherFox and HTTP Nowhere, I was fairly surprised to see the following.
The list is in order of importance:
----
This web server instance is not and never was vulnerable to Heartbleed, since it runs IIS 7 (and 7.5 and 8.0 aren't vulnerable and never were either). Good result!
----
I'd suggest disabling SSLv2 entirely.
Qualys SSL Labs reports SSLv2 is available:
"This server supports SSL 2, which is obsolete and insecure. Grade set to F.
...
Protocols
TLS 1.2 No
TLS 1.1 No
TLS 1.0 Yes
SSL 3 Yes
SSL 2 INSECURE Yes"
----
Qualys SSL Labs (link above) also reports a cipher suite list that seems pretty odd:
"The server does not support Forward Secrecy with the reference browsers."
Note that in the cipher suite list does have two Forward Secrecy cipher suites, but they're in the middle; they do work properly if the clients has TLS_RSA_WITH_AES_128_CBC_SHA and TLS_RSA_WITH_AES_256_CBC_SHA disabled, though, so simply moving them to the top would be nice.
At least the TLS_RSA_WITH_RC4_128_MD5 cipher suite should be removed - MD5 is broken. I'd remove all RC4 cipher suites at this time.
----
I would suggest having HTTPS coverage extended across the entire site, instead of just the login page.
See HTTPS Mixed Content: Still the Easiest Way to Break SSL
At the same time, you could then enable HSTS (even on IIS 7.0).
----
I might also suggest upgrading IIS versions to 7.5, 8.0, or 8.5 and enabling TLS 1.2 cipher suites.
April 15, 2014 at 8:26 pm
Thanks, I didn't think we were vulnerable, but hadn't checked.
Not sure we want to move the entire site to SSL, though I understand what you mean here, but perhaps moving to SSL 3 would be something I can get done.
April 16, 2014 at 8:23 am
Steve Jones - SSC Editor (4/15/2014)
<snip> perhaps moving to SSL 3 would be something I can get done.
Disabling SSLv2 and moving to SSLv3 doesn't hurt anything, as XP being deprecated notwithstanding, even completely unpatched Windows XP machines with IIS 6 support SSLv3.
Even going to the next step of disabling SSLv3 isn't much of a problem, as XP being deprecated still notwithstanding, Windows XP SP3, or Windows XP SP2 with KB946627, or XP RTM with unpatched IIS 6 where users went into Options, Advanced, Security, and checked the TLS 1.0 checkbox, also have TLS 1.0 available, as does every later version and browser. I do understand wanting to keep maximum compatibility even for very old clients, though, and SSLv3 isn't nearly as broken as SSLv2 is.
Steve Jones - SSC Editor (4/15/2014)
Not sure we want to move the entire site to SSL<snip>
I did not mean moving the entire site to SSL, i.e. forcing everyone to use SSL for the entire site. What I meant was to suggest adding the capability to use SSL to the entire site, for those who desire to use it, and leaving the "force SSL on the login page" alone.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply