How to Update Your Windows Server Cipher Suite for Better Security
You run a respectable website that your users can trust. Right? You might want to double check that. If your site is running on Microsoft Internet Information Services (IIS), you might be in for a surprise. When your users try to connect to your server over a secure connection (SSL/TLS) you may not be providing them a safe option.
Why Your Cipher Suites are Important: Your browser initiates a secure connection to a site. This is most easily identified by a URL starting with “HTTPS://”. Firefox offers up a little lock icon to illustrate the point further. Chrome, Internet Explorer, and Safari all have similar methods of letting you know your connection is encrypted. The server you’re connecting to replies to your browser with a list of encryption options to choose from in order of most preferred to least. Your browser goes down the list until it finds an encryption option it likes and we’re off and running. The rest, as they say, is math. (No one says that.)
The fatal flaw in this is that not all of the encryption options are created equally. Some use really great encryption algorithms (ECDH), others are less great (RSA), and some are just ill advised (DES). A browser can connect to a server using any of the options the server provides. If your site is offering up some ECDH options but also some DES options, your server will connect on either. The simple act of offering up these bad encryption options makes your site, your server, and your users potentially vulnerable. Unfortunately, by default, IIS provides some pretty poor options. Not catastrophic, but definitely not good.
How to See Where You Stand
Before we start, you might want to know where your site stands. Thankfully the good folks at Qualys are providing SSL Labs to all of us free of charge. If you go to https://www.ssllabs.com/ssltest/, you can see exactly how your server is responding to HTTPS requests. You can also see how services you use regularly stack up.
Qualys SSL Labs Test Page
One note of caution here. Just because a site doesn’t receive an A rating doesn’t mean the folks running them are doing a bad job. SSL Labs slams RC4 as a weak encryption algorithm even though there are no known attacks against it. True, it is less resistant to brute force attempts than something like RSA or ECDH, but it isn’t necessarily bad. A site may offer an RC4 connection option out of necessity for compatibility with certain browsers so use the sites rankings as a guideline, not an iron clad declaration of security or lack thereof.
More info and how to update IIS here: http://www.howtogeek.com/221080/how-to-update-your-windows-server-cipher-suite-for-better-security/