lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 6 Sep 2014 22:52:23 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 19): still no
	"perfect forward secrecy" per default in Windows
	8/7/Vista/Server 2012/Server 2008 [R2]

Hi @ll,

on April 8, 2014 Microsoft published an update for Windows 8.1 and
Windows Server 2012 R2 (see <http://support.microsoft.com/kb/2929781>)
which enables "perfect forward secrecy" per default by reordering of
the TLS cipher suites.


Unfortunately Microsoft has not published corresponding updates for
Windows 8/Server 2012, Windows 7/Server 2008 R2 and Windows Vista/
Server 2008, despite numerous requests from its customers, although
these version support "perfect forward secrecy". For example, see
<https://connect.microsoft.com/IE/feedback/details/796877/better-support-for-perfect-forward-secrecy>


Fortunately it's dead simple to enable "perfect forware secrecy" in
Windows Vista and later versions: just change the order of the TLS
cipher suites in the registry entry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]
"Functions"=multi:...

and reboot.


For Windows 7/Server 2008 R2/8/Server 2012 you can use the script
<http://home.arcor.de/skanthak/download/NT6_PFS.INF> to perform all
the necessary changes to enable PFS as well as TLS 1.2 and disable
some week algorithms/ciphers too.

You'll see the success when you visit <https://www.howsmyssl.com/>,
<https://www.ssllabs.com/ssltest/viewMyClient.html> or
<https://cc.dcsec.uni-hannover.de/> with Internet Explorer 8 and
later after the reboot.


have fun
Stefan Kanthak


JFTR: IPsec is able to use "perfect forward secrecy" for MANY years,
      see <http://support.microsoft.com/kb/252735>,
      <http://support.microsoft.com/kb/301284> and
      <http://support.microsoft.com/kb/816514> as well as
      <http://technet.microsoft.com/library/cc759504.aspx>

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists