TLS Cipher Suites: Security Best Practices

G5 Cyber Security

1 week ago

TL;DR

Yes, TLS should be strict about the ciphers it supports. Older, weaker ciphers create vulnerabilities. Modern configurations should only enable strong, secure cipher suites and disable anything outdated or known to be compromised. This improves your cyber security significantly.

Why Cipher Suites Matter

TLS (Transport Layer Security) uses cipher suites to encrypt communication between a client (like a web browser) and a server. A cipher suite is essentially a package of algorithms that determine how data is secured during transit. Different suites offer varying levels of security.

Using weak or outdated ciphers is like leaving your front door unlocked – it makes you an easy target for attackers. Attackers can exploit these weaknesses to intercept and decrypt sensitive information, such as passwords, credit card details, and personal data.

How to Check Your Current Cipher Suites

Using OpenSSL (command line): This is a common method on Linux/macOS servers.

Run the following command against your server’s hostname or IP address:

openssl s_client -connect yourdomain.com:443

Look for the line starting with “Cipher Suite:”. This shows the cipher suite negotiated during the connection. Repeat this test several times, as servers can offer multiple suites.

Using an Online SSL Checker: Several websites provide free tools to analyze your SSL/TLS configuration. Examples include SSL Labs and SecurityHeaders.io. These tools will give you a detailed report, including the cipher suites supported by your server.

Browser Developer Tools: Most modern browsers have developer tools that allow you to inspect TLS connections. Look for security information in the ‘Connection’ or ‘Security’ tab.

Steps to Configure Strong Cipher Suites

The exact configuration steps depend on your web server software (e.g., Apache, Nginx, IIS). Here are general guidelines:

1. Identify Supported Ciphers

Start by determining which cipher suites your server supports. Then, focus on enabling only the strong ones.

2. Disable Weak and Vulnerable Ciphers

Specifically, disable these:

RC4: This is a very old cipher that has known vulnerabilities.
DES & 3DES: These are also outdated and insecure.
MD5-based ciphers: MD5 is a weak hashing algorithm.
Export Ciphers: These were designed for compatibility with older systems and have reduced security.
Any cipher suites using SHA-1: While not completely broken, SHA-1 is considered deprecated and should be avoided where possible.

3. Prioritize Strong Cipher Suites

Configure your server to prefer strong ciphers first. A good starting point includes:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

These suites use strong encryption algorithms (AES-256, AES-128, ChaCha20) and forward secrecy (ECDHE), which protects past communication even if the server’s private key is compromised.

4. Example Configuration (Nginx)

ssl_ciphers 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305:EECDH+AESGCM:!MD5';

This example sets the preferred cipher suites and explicitly disables MD5-based ciphers.

5. Example Configuration (Apache)

SSLCipherSuite TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 EECDH+AESGCM !MD5

6. Restart Your Web Server

After making changes to your configuration file, restart your web server for the new settings to take effect.

Regular Updates

Cipher suite recommendations evolve as new vulnerabilities are discovered and better algorithms become available. Regularly review and update your cipher suite configuration to maintain optimal cyber security.