Encryption Protocols & Ciphers

One of the Best Practices for Pleasant Password Server is to disallow methods of SSL/TLS encryption that are known to be insecure.

  • Pleasant Password Server negotiates the best connection possible with your browser/machine in order to communicate in the most secure protocol & cipher available to your browser/machine. However, it is important to ensure that the best lines of communication are available and the insecure ones are not by:

    1. Keeping Password Server up-to-date will ensure the latest security patches & configurations are applied.
    2. Keeping Browsers and Machine OS's updated regularly is important, because it also helps to automatically keep pace with the security / protocol algortithm improvements, as these get reviewed and updated.
    3. Using Secure Certificates will help to ensure the connection uses the strongest encryption possible

SSL/TLS Versions

  • TLS 1.3 is faster, more secure, new default in browsers
  • TLS 1.2 has been a long held standard
  • TLS 1.1 has reached end of life in 2018
  • TLS 1.0 protocols are insecure
  • SSL 1.0, 2.0, 3.0; PCT 1.0 are all deprecated and should not be used

Also:

  • QUIC (in HTTP/3) is in draft format: intended to replace TLS

Test Your Encryption

You can test the connection your Browser, Mobile Device, or External-Facing website, and see the protocols & ciphers being used here:

For an internal server: see the next sections (below).

You can also see the specific negotiated connection protocols for the current website you are viewing:

  • Chrome: Type F12 -> Click Security tab -> View the Connection details
  • FireFox: Click the lock next to your URL -> Click Show Connection Details -> View the Technical Details

Enable TLS 1.2

Newer versions of Password Server use the strongest available. Making these registry settings will also enable older versions / other applications as well:

How To Disable Insecure Server Ciphers

First of all, keeping the machine OS updated, can help to stay on top of the right encryption protocols for your connections.

Here are a few safeguard methods to disable server protocols, right down the specific ciphers if you wish. The easiest method being a nice tool IISCrypto (for Windows Server machines only).

By Machine Registry Settings

Windows Server (2003, 2008, 2012, 2016)

Even on Windows Server 2012 R2, some older protocols are still enabled by default and should be disabled.

All Windows Versions

It's possible to view / change the specific cipher algorithms your machine uses:

  • Cipher Suites in TLS/SSL (Schannel SSP)
  • Windows 7, 8, 9, 10:
    • "To add cipher suites, use the group policy setting SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings to configure a priority list for all cipher suites you want enabled."

By Group Policy

How To Disable Insecure Browser Ciphers

If you notice they are still available, it's possible to disable insecure protocols for your browser:

Recommended Algorithms & Ciphers

An updated recommendation list, as well as the theory and a general explanation, is published by SSL Labs, a well-known authoritative site. They suggest to first make changes in a test environment, to maintain compatibility with any other required applications:

Insecure Algorithms & Ciphers

 

Further Reading

A short technical explanation guide for network administrators regarding encryption/protocol can be found here:

 Additional Technical Links:

Troubleshooting

  •  Connection error: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY
    • This error indicates that the browser has detected that your machine / the site have negotiated a protocol from the TLS 1.2 Cipher Suite Black List
    • To resolve use one of the methods above to set good ciphers / disable these ciphers

Tag page
You must login to post a comment.