Encryption Protocols and Ciphers
One of the Best Practices for Pleasant Password Server is to disable methods of SSL/TLS encryption that are found to be insecure.
Pleasant Password Server negotiates the best connection possible between your server and client in order to communicate in the most secure protocol & cipher available on your browser/machine/device. However, it is important to ensure that the best and most secure lines of communication are available and that the insecure ones are not.
This is best accomplished by:
- Disable Insecure Protocols: ensure that insecure clients will not communicate with us in vulnerable protocols / algorithms
- Keep Password Server up-to-date: ensure the latest security patches, fixes, & configurations are applied
- Keep Machine updated & Browsers updated regularly: helps to automatically keep pace with the ever-changing security / protocol algorithm improvements, as these get reviewed and updated often
- Use Secure Certificates: will help to ensure the connection uses the best encryption strength possible
- SSL/TLS Versions
- 1. Test Your Encryption
- 2. Use the Strongest Encryption
- 3. How To Disable Insecure Server Ciphers
- 4. How To Disable Insecure Browser Ciphers
- Recommended Algorithms & Ciphers
- TLS 1.3 is faster, more secure, new default in browsers
- TLS 1.2 has been a long held standard
- TLS 1.1 has reached end of life in 2018
- TLS 1.0 protocols are insecure
SSL 1.0, 2.0, 3.0; PCT 1.0 are all deprecated and should not be used
- QUIC (in HTTP/3) is in draft format: intended to replace TLS
You can test the connection your Browser, Mobile Device, or External-Facing website, and see the protocols & ciphers being used here:
For an internal server: see the next sections (below).
You can also see the specific negotiated connection protocols for the current website you are viewing:
- Chrome: Type F12 -> Click Security tab -> View the Connection details
- FireFox: Click the lock next to your URL -> Click Show Connection Details -> View the Technical Details
Password Server negotiates the strongest available encryption between the two devices, the server and client. Making registry setting changes enables specific versions of TLS on a machine, for example, TLS 1.3 or TLS 1.2:
At the same time, you do not want to leave old, outdated encryption protocols or ciphers enabled. Keep reading below.
If you notice they are still available, it's possible to disable insecure protocols for your browser, for example:
First of all, keeping the machine OS updated, can help to stay on top of the right encryption protocols for your connections.
Here are a few safeguard methods to disable server protocols, right down the specific ciphers if you wish. The easiest method being a nice tool IISCrypto (for Windows Server machines only).
By Machine Registry Settings
All Windows Versions
It's possible to view / change the specific cipher algorithms your machine uses:
- Cipher Suites in TLS/SSL (Schannel SSP)
- Windows 7 - 10:
"To add cipher suites, use the group policy setting SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings to configure a priority list for all cipher suites you want enabled."
By Group Policy
SSL Labs publishes an updated recommendation list, and are a well-known authoritative site.
Their suggestions include: first making changes in a test environment, and ensuring that compatibility is maintained for all your required applications on the machine.
They also include a general explanation and a discussion of the theory.
Insecure Algorithms & Ciphers
- Transport Layer Security (TLS) - Wikipedia:
- Hardening Your Web Server’s SSL Ciphers (Rationale section)
A short technical explanation guide for network administrators regarding encryption/protocol can be found here:
SSL and TLS Deployment Best Practices by SSL Labs
Relevant sections: Certificates, Secure Protocols, & Secure Cipher Suite
Additional Technical Links:
- Common Encryption Types
- History of SSL/TLS
- Getting an A+ on the Qualys SSL Test
- HTTP over QUIC