5

Recently, my PCI assessor informed me that my servers are vulnerable to BEAST and failed me. I did my homework and I want to change our webservers to prefer RC4 ciphers over CBC. I followed every guide I could find...

I changed my reg keys for my weaker than 128bit encryption to Enabled = 0. completely removed the reg keys for the weaker encryptions. I downloaded IISCrypto and unchecked everything but RC4 128 ciphers and triple DES 168.

My webserver still prefers AES-256SHA. Is there a trick in IIS 6.0 to get your webservers to prefer RC4 ciphers that I am not figuring out? It seems like in IIS 7 they made this very easy to fix but that doesn't help me now!

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
D3l_Gato
  • 153
  • 4
  • Are there any load balancers/proxies/application firewalls in front of your web servers? Could explain why you still seeing AES-256SHA even if you have it disabled on the web server. – k1DBLITZ Dec 10 '12 at 16:39

1 Answers1

3

A possible fix is to totally disable all non-RC4 cipher suites. This will break connections from clients who have elected not to use RC4 (possibly, these would be quite rare), but at least it will guarantee that if a connection is made at all, then it will use RC4, which is immune to BEAST.

In true SSL/TLS, the server is supposed to follow the client's order of preferences: the list of supported cipher suites sent by the client is ordered, and the server should choose the first suite in this list that it also supports. The mitigation for BEAST that you are looking for is actually a way to make your IIS somewhat discourteous; it seems that Microsoft did not provide a setting for that in IIS 6.0.

Note that Web browsers may also include a fix, called record splitting. See for instance this fix from Microsoft; it appears that an up-to-date Internet Explorer will split the records by default, and thus be immune to BEAST, even if a CBC-based cipher suite is used. Therefore, one way to fix your potential BEAST-related vulnerability is to do nothing and let the clients fix their browsers, which they should anyway (a Web browser which is not up to date, that's another name for "suicide"). After all, the BEAST attack is an attack on the client.

Community
  • 1
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Do you think my PCI assessor will buy that? ;) Unfortunately, I need to at least show them that my server prefers RC4. I found a little tool called SSLScan.exe and it tells me this my server prefers AES256: SSLv3 256 bits AES256-SHA TLSv1 256 bits AES256-SHA – D3l_Gato Dec 07 '12 at 16:54
  • @Thomas - I'd love to see an example of turning off these ciphers. We're getting failed on our audit for the same reason. It's an old Exchange 2003 box and we're getting failed for our SSL encrypted SMTP rules. – Tim Brigham Dec 07 '12 at 17:20
  • Found this site: http://www.serversniff.net/sslcheck.php which reports the cyphers the server's running. – GlennG Dec 11 '12 at 23:04