Securing your browsers: Internet Explorer

As third and last, I’ll show you how to secure your browser settings for Internet Explorer.

Internet Explorer is somewhat different because it doesn’t have it’s own settings for cipher suites. It gets those from the operating system. In Windows they are implemented in one of the SSPI’s namely SChannel. So to enable or disable cipher suites in IE, you need to enable or disable them in Windows.

First, let’s take care of the obvious. In IE there is an SSLv3 setting in the Advanced tab of the Internet Options. Uncheck this and IE will be POODLE-proof. SSL 2.0 should be unchecked by default.

2015_01_06_12_16_22_Internet_Options

Now, to disable cipher suites we could edit the registry. This is complicated and error prone, so we are going to use a tool. Download IIS Crypto here. I recommend version 1.6 GUI for .NET 4.0.

Start the tool with elevated privileges and have most of the work done for you by clicking the Best Practices button. You’ll have to Press the Apply button and restart for the changes to take effect.

I have edited the cipher suite order and put the ECDHE_ECDSA ciphers at the top of the list, followed by the ECDHE_RSA ciphers. I have tried disabling MD5 hashing but found that some applications for RDP were not working anymore. Disable every protocol before TLS 1.0 and every cipher suite above Triple DES 168. I tried disabling Triple DES 168, but some websites wont work anymore because they are not updated to use the newer Elliptic Curve cipher suites yet. Please test what works for you and post in comments.

2015_01_06_12_30_23_IIS_Crypto_1.6_build_7

2015_01_06_12_30_39_IIS_Crypto_1.6_build_7

2015_01_06_12_30_58_IIS_Crypto_1.6_build_7

As you can see, I disabled all TLS_DHE_DSS suites and the RC4 suite. I use the 3DES_CBC suite as a fallback suite.

I also disabled a few RSA SHA256 and RSA SHA384 suites because Microsoft released a bad patch. The IIS Crypto site also tells us to disable these:

2015_01_06_12_38_17_Nartac_Software_IIS_Crypto_Chromium

This concludes my ‘series’ on how to secure your browser. It may be that these settings will be deprecated real soon. It might also be that you can use these safely for a few years. All depends on the progress and development in the field of cryptography. I will keep you updated.

Securing your browsers: Firefox

As a continuation of my previous post, I will now show you how to use secure settings with your Firefox browser. We still have to do the following:

  • Disable SSLv3 (this counters POODLE)
  • Disable RC4 cipher suites as much as possible
  • Disable SHA1 cipher suites as much as possible
  • Disable DES3 cipher suites as much as possible

I will use the most current version of Firefox, which is version 34.0(.5) as of now. The development team decided it was time to drop SSLv3 support by default, so they conveniently  took care of the first point.

To get to the security settings, open the about:config page in the address bar. Take notice of the warning and proceed. Now type ‘ssl’ in the search box that has appeared and press Enter. You will see all SSL related settings. On the bottom of your page are the cipher suites. The last column indicates if the cipher suite is enabled or not. True is enabled, false is disabled.

Again, I have tested several cipher suites in the last months and have come to a workable situation. I advise you to disable the following settings starting from the bottom:

  • security.ssl3.rsa_rc4_128_md5;false
  • security.ssl3.rsa_camellia_256_sha;false
  • security.ssl3.rsa_camellia_128_sha;false
  • security.ssl3.ecdhe_rsa_rc4_128_sha;false
  • security.ssl3.ecdhe_rsa_des_ede3_sha;false
  • security.ssl3.ecdhe_ecdsa_rc4_128_sha;false
  • security.ssl3.dhe_rsa_des_ede3_sha;false
  • security.ssl3.dhe_rsa_camellia_256_sha;false
  • security.ssl3.dhe_rsa_camellia_128_sha;false
  • security.ssl3.dhe_dss_aes_256_sha;false
  • security.ssl3.dhe_dss_aes_128_sha;false

Some will be disabled by default.

In addition, I advise you to enable the following cipher suites, again starting for the bottom of the page. These are cipher suites that can provide Perfect Forward Secrecy and are not (publicly) know to have been compromised:

  • security.ssl3.rsa_rc4_128_sha;true (fallback cipher suite)
  • security.ssl3.rsa_aes_256_sha;true (fallback cipher suite)
  • security.ssl3.ecdhe_rsa_aes_256_sha;true
  • security.ssl3.ecdhe_rsa_aes_128_sha;true
  • security.ssl3.ecdhe_rsa_aes_128_gcm_sha256;true
  • security.ssl3.ecdhe_ecdsa_aes_256_sha;true
  • security.ssl3.ecdhe_ecdsa_aes_128_sha;true
  • security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256;true
  • security.ssl3.dhe_rsa_aes_256_sha;true
  • security.ssl3.dhe_rsa_aes_128_sha;true

Additionally, you can disable ssl3.rsa_aes_128_sha too in favor of ssl3.rsa_aes_256_sha, ssl3.dhe_rsa_aes_128_sha in favor of ssl3.dhe_rsa_aes_256_sha and ssl3.ecdhe_ecdsa_aes_128_sha in favor of ssl3.ecdhe_ecdsa_aes_256_sha. Almost all servers support the 256bit version if the 128bit version is also offered, so this way I force the one with the strongest encryption. Mind you, I have not tested this thoroughly.

Firefox will prefer other cipher suites before ssl3.rsa_rc4_128_sha, so this will really act as a fallback cipher suite. Your result should be similar to this:

2015_01_06_10_50_27_about_config

Now, to check SSLv3 is disabled, type in ‘tls’ in the search box. You will see the setting security.tls.version.min;1. It should have the value ‘1’. Value ‘0’ will allow SSLv3.

2015_01_06_10_48_41_about_config

You can test your browser and the cipher suites it uses here or here. It should be these:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA

or these:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_RC4_128_SHA

Next post will handle the same settings for Internet Explorer.

%d bloggers like this: