Full Disclosure mailing list archives

By Date By Thread Defense in depth -- the Microsoft way (part 19): still no "perfect forward secrecy" per default in Windows 8/7/Vista/Server 2012/Server 2008 [R2] From: "Stefan Kanthak" <stefan.kanthak () nexgo de>

Date: Sat, 6 Sep 2014 22:52:23 +0200

Hi @ll, on April 8, 2014 Microsoft published an update for Windows 8.1 and Windows Server 2012 R2 (see <http://support.microsoft.com/kb/2929781>) which enables "perfect forward secrecy" per default by reordering of the TLS cipher suites. Unfortunately Microsoft has not published corresponding updates for Windows 8/Server 2012, Windows 7/Server 2008 R2 and Windows Vista/ Server 2008, despite numerous requests from its customers, although these version support "perfect forward secrecy". For example, see <https://connect.microsoft.com/IE/feedback/details/796877/better-support-for-perfect-forward-secrecy> Fortunately it's dead simple to enable "perfect forware secrecy" in Windows Vista and later versions: just change the order of the TLS cipher suites in the registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002] "Functions"=multi:... and reboot. For Windows 7/Server 2008 R2/8/Server 2012 you can use the script <http://home.arcor.de/skanthak/download/NT6_PFS.INF> to perform all the necessary changes to enable PFS as well as TLS 1.2 and disable some week algorithms/ciphers too. You'll see the success when you visit <https://www.howsmyssl.com/>, <https://www.ssllabs.com/ssltest/viewMyClient.html> or <https://cc.dcsec.uni-hannover.de/> with Internet Explorer 8 and later after the reboot. have fun Stefan Kanthak JFTR: IPsec is able to use "perfect forward secrecy" for MANY years, see <http://support.microsoft.com/kb/252735>, <http://support.microsoft.com/kb/301284> and <http://support.microsoft.com/kb/816514> as well as <http://technet.microsoft.com/library/cc759504.aspx> _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: Defense in depth -- the Microsoft way (part 19): still no "perfect forward secrecy" per default in Windows 8/7/Vista/Server 2012/Server 2008 [R2] Stefan Kanthak (Sep 06)