Posts

Showing posts from May, 2015

The Joy Of Ciphers

Image
Whilst re-installing a desktop for a refresh I usually harden the installation to reduce the attack surface, and weed out legacy options that only assist a penetration 'tester'.

One of the areas is to restrict the available ciphers - for most corporate install requirements this is fairly simple as the security model tends to be closed box, but when you're dealing with smaller enterprises or residential operations you're at the mercy of ISPs. Having to find the information annoyed me so I thought I may be able to save someone else some pain by publishing it.

If you're dealing with a personal machine and locking down cipher suites via something like Group Policy, you'll soon discover there's a maximum character limit on the SSL configuration item - so you'll need to be selective with your allow list.

If you have a base list which looks something like this:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_RSA_…