Transport Layer Security (TLS) is often used to ensure security in the communication and transfer of data from clients to the server and vice versa. A cipher suite consists of authentication, encryption and message authentication code (MAC) components. Misconfiguration of ciphers used in the data transfer would potentially make your applications or systems vulnerable to attacks.
A cipher suite consists of many choices and a combination of algorithms. Different selections offer different levels of security requirements and client compatibility. Application or system owners need to pay attention to the selection of cipher suites such that it would ensure data transfer security while still satisfying the business needs.
The following is a list of recommendation for selecting a cipher suite to use
- Disable SSL v2, SSL v3 and TLS v1.0 due to known vulnerabilities (e.g POODLE, BEAST and etc.)
- Use TLS v1.2 to enable modern cryptographic algorithms
- Disable insecure or weak ciphers such as DES, 3DES and RC4
Some online services offer SSL certificate and cipher checking which may be used to verify SSL certificate installation and cipher configurations of servers. (see “SSL Server Test” link below)
Please refer to the following webpages for the selection and configurations of cipher suites
- Recommendations for TLS/SSL cipher hardening (https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/)
- TLS Cipher String Cheat Sheet (https://www.owasp.org/index.php/TLS_Cipher_String_Cheat_Sheet)
- Mozilla Security/Server Side TLS (https://wiki.mozilla.org/Security/Server_Side_TLS)
- SSL Server Test (https://www.ssllabs.com/ssltest/)
Notes: For systems being protected under a Web Application Firewall (WAF), the selection of cipher suites will be more restrictive in order to be compatible with the WAF.