Escolar Documentos
Profissional Documentos
Cultura Documentos
SHOULD I USE?
Our customers develop and deploy products that rely SSL/TLS to protect the
confidentiality and integrity of Web, VPN, e-mail, and other traffic. We are often asked
how to configure SSL/TLS libraries on servers to avoid any known security
vulnerabilities, specifically, regarding which protocol versions and cipher suites should be
enabled. In this post we list new features introduced in and vulnerabilities resolved by
each new version of SSL/TLS, and describe how to select the most secure cipher suites
while maintaining backward compatibility. Certain SSL/TLS versions and cipher suites
were recommended or enabled by default in the past for backward compatibility and
even security reasons; here, we hope to clarify current best practices.
Protocol
Action
SSL 2.0
Disable
SSL 3.0
Disable
TLS 1.0
TLS 1.1
Enable
TLS 1.2
Enable
ensures that software cannot misconfigured to use it, and that attackers cannot force a
client and server to downgrade to it.
Result: Disable SSL 3.0 without regard to backward compatibility.
TLS 1.0 was released in 1999 as a revision to SSL 3.0. Among the modifications to the
protocol was a new padding scheme, and as a result TLS 1.0 is not vulnerable to the
POODLE attack when TLS padding is in use.
However, TLS 1.0 is vulnerable to the BEAST attack, which leverages browser scripting
capabilities and weaknesses in the use of initialization vectors employed when
encrypting with a block cipher in CBC mode[4]. BEAST can be worked around without
breaking the TLS 1.0 protocol in one of two ways:
1. Disable all CBC mode cipher suites; stream ciphers are not vulnerable.
Unfortunately, the only non-CBC cipher widely supported, RC4, is susceptible to
additional security issues of its own.
2. Modify TLS client and server libraries to add a "tweak" to the way in which the
software communicates, called "insert empty fragments".
If TLS 1.0 must be supported, then we recommend ensuring that both the client and
server follow the "insert empty fragments" workaround, rather than switching to RC4.
Many servers continue to support TLS 1.0 for backward compatibility, as some widelydeployed software does not support later versions of TLS (e.g., Windows XP, Windows
Server 2003, OpenSSL 0.9.8), while other software, including Mozilla Firefox, did not
implement TLS 1.1 until many years after its introduction in 2006. TLS 1.0 users who
wish to use workarounds rather than discontinue support must be diligent in ensuring
their TLS libraries are up to date and properly configured. We recommend that users
instead upgrade unless a specific backward compatibility issue precludes disabling TLS
1.0.
Result: Disable TLS 1.0; re-enable if backward compatibility issues arise.
TLS 1.1 was released in 2006 as a revision to TLS 1.0. Among the modifications to the
protocol is a new IV generation scheme; thus, TLS 1.1 is not susceptible to BEAST.
While attacks have been successfully launched against specific TLS 1.1 features, such
as compression (CRIME) and renegotiation, workarounds exist that do not break
protocol compatibility. Note: these issues affect TLS 1.2 as well.
TLS 1.1 users should be diligent in ensuring their TLS libraries are up to date and
properly configured to enable security workarounds according to current best practices
(e.g., disabling compression, and enabling the RFC 5746 renegotiation workaround).
Result: Enable TLS 1.1.
TLS 1.2 was released in 2008 as a revision to TLS 1.1. As of this writing, it is
unnecessary to upgrade from TLS 1.1 to 1.2 in response to any known, exploitable
vulnerabilities, but TLS 1.2 introduces useful features such as higher-performance GCM
cipher suites and a SHA-256 based pseudorandom function. GCM cipher suites also use
provide authenticated encryption, replacing TLSs traditional Encrypt-then-Authenticate
scheme.
TLS 1.2 users should be diligent in ensuring their TLS libraries are up to date and
properly configured to enable security workarounds according to current best practices
(e.g., disabling compression, and enabling the RFC 5746 renegotiation workaround).
Result: Enable TLS 1.2.
Cipher Suites
The SSL/TLS protocols were designed to be extensible and modular, allowing the
server/client authentication, key exchange, encryption, and message integrity (MAC)
protocols to be changed without replacing the entire protocol. The most recent cipher
suites use RSA, ECDH, or ECDSA for authentication, ECDHE for key exchange, AES for
encryption, and GCM for integrity, but a large number of older and backwardcompatibility cipher suites also exist. We split the cipher suites into three categories:
those that should always be enabled for the best security possible, those that can be
enabled if desired for compability, and those that should always be disabled due to
security weaknesses.
A quick way to specify only AES-based cipher suites while requiring RSA, ECDH, or
ECDSA certificates for server authentication, when using OpenSSL,
is: AES+aRSA:AES+aECDH:AES+aECDSA. Modern x86 processors support hardware-accelerated
AES and AES/GCM encryption. This capability allows AES cipher suites to provide both
high performance and robust security.
Optional or Uncommon Cipher Suites
SSL/TLS libraries commonly support many other ciphers and authentication schemes,
such as the Camellia, Triple-DES, and SEED cipher suites; and the Kerberos, preshared
key, and DSS authentication schemes. While as of this writing, there are currently no
known attacks against these algorithms, they can generally be disabled without any
compatibility consequences. Disabling unnecessary features in security-critical libraries
also helps to reduce the attack surface.
Weak or Broken Cipher Suites
The following types of cipher suites are weak or broken and should always be disabled.
Null cipher. The NULL cipher (eNULL) does not perform any encryption and should only
be used for testing or debugging.
Export grade ciphers. These obsolete cipher suites were used when US export
restrictions limited cryptographic strength to 40 bits (later 56). Most of the relevant
restrictions were lifted in 2000, so these are unnecessary for all current software and are
too weak against brute-force attacks.
Anonymous ciphers. While SSL/TLS almost always uses certificates to prove a
server's identity, this is not required when using an anonymous cipher suite (usually
disabled by default at the application layer, e.g., mod_ssl or IIS).
MD5-based cipher suites. Many older cipher suites used a MAC algorithm based on
MD5 to detect modifications to the encrypted data. The MD5 algorithm has been shown
to be weak and susceptible to collisions; also, some MD5 cipher suites make use of
ciphers with known weaknesses, such as RC2, and these are automatically disabled by
avoiding MD5.
RC4 cipher suites. The RC4 cipher's key scheduling algorithm is weak in that early
bytes of output can be correlated with the key. This weakness was used in certain
attacks against Wired Equivalent Privacy (WEP), the first encryption standard for 802.11
Future
TLS 1.3 is, as of this writing, currently under development and makes more substantial
changes to the protocol than previous revisions; in fact, it is the most significant revision
to the protocol since SSL 3.0. In a reversal from previous practice, many weak or
backward-compatibility features, such as RC4, compression, and static RSA
authentication, are proposed to be dropped from TLS 1.3. As TLS 1.3 is deployed,
administrators should implement support when possible. In particular, as clients and
servers migrate to TLS 1.3, many workarounds and hardening steps will no longer be
necessary.