-1

I need to remove support for weak servers on a site we host. This is a highly secured site where customer data is extremely sensitive and our customers and auditors require that we drop support for weak ciphers.

My challenge is that I don't know the best way to advise customers to make this change. They do not need to drop support for weak ciphers, as they may need to connect to other sites, but they do need to make sure that they can support strong ciphers. We know that we have a small percentage of customers that still negotiation TLS with a weak cipher to us.

So are ciphers only configured at the OS level? Is all TLS/cipher logic exclusively managed by the OS? Or, can custom apps (including browsers) contain their own TLS/cipher logic that bypasses OS configs and even use ciphers that aren't even installed on the OS? I've seen some discussions about changing ciphers within Chrome, but I can't find any authoritative statement about how this works or how it would interact with OS cipher configurations.

Thanks for any ideas!

Improve this question
4
  • 3
    Why do you 'need to [advise] customers ... to remove support for weaker ciphers'? Even if a client offers weak suites (or other parameters) the server can ignore them and only accept strong choices. Is this a website (HTTPS)? If customers are using supported web browsers (not something like Netscape Navigator or AOL) they already support strong TLS. Chrome and Firefox and their derivatives (such as Edge Opera Brave Tor) do use their own TLS stacks; the only major browser now to use an OS stack is Apple's Safari. Nonbrowser clients and servers vary; some use an OS stack, some don't.
    – dave_thompson_085
    Nov 16 at 1:58
  • You don't need to do this. All current operating systems and browsers use and support ciphers that are secure. For the very small numbers that are not, the support desk can recommend that they upgrade the endpoint to an operating system that is supported, or install/upgrade the browser to an supported version.
    – Greg Askew
    Nov 16 at 12:38
  • All - this is a Fintech app serving very large customers. Our customers and auditors have extremely high standards for our security requirements that we must meet contractually. Currently we are accommodating a very small percent of our user base that still connects with weak ciphers. As you understand, keeping support for these weak ciphers jeopardizes our entire endpoint security, giving bad actors an easier vector to attack.
    – sisdog
    Nov 16 at 14:33
  • If you have contractual obligations, and you have customers who you are accommodating, and these accommodations don't allow you to meet those contractual obligations, then you'll need to either help them to use your service after you eliminate those accommodations, or you'll have to let them go as customers.
    – joeqwerty
    Nov 17 at 23:09

1 Answer 1

Reset to default
4

Assuming these customers connect to your site as the client in a client/server connection, you shouldn't be advising your customers to remove support for weak ciphers/cipher suites on THEIR systems, because that has nothing to do with them connecting to your site. You have no idea what other systems, applications, or sites they connect to that (sadly) may still rely on those weak ciphers/cipher suites.

Making a blanket pronouncement about removing weak ciphers/cipher suites from their systems is a sure fire way of creating problems for them, that you won't be in a position to solve.

If they can't connect to your site after YOU remove support for weak ciphers/cipher suites on YOUR site you can advise them on making whatever changes are needed on their side to allow them to connect to your site, but advising them to remove support for weak ciphers/cipher suites on THEIR systems is not a good idea, IMO.

So send them a communication that informs them of the changes you're making to your site and which ciphers/cipher suites their systems will need to support and use when connecting to your site, but DO NOT tell them to remove weak ciphers/cipher suites from their systems.

Improve this answer
1
  • Thanks @joeqwerty. You are correct, I misspoke that they need to remove weak ciphers. Instead, they need to add support for strong ciphers. I updated my question above. Given that, I wonder if you have any thought on my original question as to how a user goes about checking, and modifying, their cipher settings. I'm not clear if the OS governs cipher negotiation exclusively or if browsers and/or custom apps can override this. If the later, I'm wondering how someone would go about finding all the places that could affect their cipher negotiation to check it or modify it.
    – sisdog
    Nov 16 at 15:00

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .