AnsweredAssumed Answered

Update Best practices, prioritize GCM over CBC

Question asked by Ty V on Feb 9, 2019
Latest reply on Apr 18, 2019 by Keith Shaw

As you are aware windows 10 prioritizes GCM over CBC, even TLS_RSA GCM over ECDHE_ECDSA CBC.


Feburary 8 2019:


"Craig Young, a computer security researcher for Tripwire's Vulnerability and Exposure Research Team, found vulnerabilities in SSL 3.0's successor, TLS 1.2, that allow for attacks akin to POODLE due to TLS 1.2's continued support for a long-outdated cryptographic method: cipher block-chaining (CBC). The flaws allow man-in-the-middle (MitM) attacks on a user's encrypted Web and VPN sessions."

 

Source: https://www.darkreading.com/vulnerabilities---threats/new-zombie-poodle-attack-bred-from-tls-flaw/d/d-id/1333815

 

Please consider updating your best practices, and prioritizing GCM over CBC, prioritizing the ECC Diffie–Hellman suites over RSA.

February 9, 2019:

"Seven researchers from all over the world found --yet again-- another way to break RSA PKCS#1 v1.5, the most common RSA configuration used to encrypt TLS connections nowadays. Besides TLS, this new Bleichenbacher attack also works against Google's new QUIC encryption protocol as well."

Source: New TLS encryption-busting attack also impacts the newer TLS 1.3

https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices

 

Please weigh in and consider with your expertise

 

Thank you very much.

Outcomes