[<prev] [next>] [day] [month] [year] [list]
Message-ID: <DA2D62B09CFE40D6AA9BAAAC4F0CCAF3@celsius>
Date: Sat, 6 Sep 2014 22:52:23 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 19): still no
"perfect forward secrecy" per default in Windows
8/7/Vista/Server 2012/Server 2008 [R2]
Hi @ll,
on April 8, 2014 Microsoft published an update for Windows 8.1 and
Windows Server 2012 R2 (see <http://support.microsoft.com/kb/2929781>)
which enables "perfect forward secrecy" per default by reordering of
the TLS cipher suites.
Unfortunately Microsoft has not published corresponding updates for
Windows 8/Server 2012, Windows 7/Server 2008 R2 and Windows Vista/
Server 2008, despite numerous requests from its customers, although
these version support "perfect forward secrecy". For example, see
<https://connect.microsoft.com/IE/feedback/details/796877/better-support-for-perfect-forward-secrecy>
Fortunately it's dead simple to enable "perfect forware secrecy" in
Windows Vista and later versions: just change the order of the TLS
cipher suites in the registry entry
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]
"Functions"=multi:...
and reboot.
For Windows 7/Server 2008 R2/8/Server 2012 you can use the script
<http://home.arcor.de/skanthak/download/NT6_PFS.INF> to perform all
the necessary changes to enable PFS as well as TLS 1.2 and disable
some week algorithms/ciphers too.
You'll see the success when you visit <https://www.howsmyssl.com/>,
<https://www.ssllabs.com/ssltest/viewMyClient.html> or
<https://cc.dcsec.uni-hannover.de/> with Internet Explorer 8 and
later after the reboot.
have fun
Stefan Kanthak
JFTR: IPsec is able to use "perfect forward secrecy" for MANY years,
see <http://support.microsoft.com/kb/252735>,
<http://support.microsoft.com/kb/301284> and
<http://support.microsoft.com/kb/816514> as well as
<http://technet.microsoft.com/library/cc759504.aspx>
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists