Started By
Message
The TLS Settings on TD Are Wrong
Posted on 1/8/23 at 10:50 am
Posted on 1/8/23 at 10:50 am
I know this isn't a banking website that needs high security, and I doubt there's hackers out there plotting how to break TD. But I just thought I'd let Chicken know that his TLS settings are configured wrong. When I check the certificate for this site, my Chrome browser is giving me a warning saying the connection settings are "obsolete."
This site seems to prefer AES-CBC mode, but that is now broken and shouldn't be the preferred option. Here is how my latest version of Chrome lists its cipher preferences. If I were Chicken, I would just configure my server to have the same preferences. (I am assuming Chicken or his webmaster knows where the config file is):
AES_128_GCM_SHA256
AES_256_GCM_SHA384
CHACHA20_POLY1305_SHA256
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Then at the bottom of the list you could accommodate old browsers:
ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_256_GCM_SHA384
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
Basically you want all the "AES-GCM" modes and all the "ChaCha20-poly1305" modes to be at the top of the list. And you want to prioritize "ECDH" over the "RSA" modes (because ECDH is much faster).
This site seems to prefer AES-CBC mode, but that is now broken and shouldn't be the preferred option. Here is how my latest version of Chrome lists its cipher preferences. If I were Chicken, I would just configure my server to have the same preferences. (I am assuming Chicken or his webmaster knows where the config file is):
AES_128_GCM_SHA256
AES_256_GCM_SHA384
CHACHA20_POLY1305_SHA256
ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
ECDHE_RSA_WITH_AES_128_GCM_SHA256
ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
ECDHE_RSA_WITH_AES_256_GCM_SHA384
ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
Then at the bottom of the list you could accommodate old browsers:
ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE_RSA_WITH_AES_256_CBC_SHA
RSA_WITH_AES_128_GCM_SHA256
RSA_WITH_AES_256_GCM_SHA384
RSA_WITH_AES_128_CBC_SHA
RSA_WITH_AES_256_CBC_SHA
Basically you want all the "AES-GCM" modes and all the "ChaCha20-poly1305" modes to be at the top of the list. And you want to prioritize "ECDH" over the "RSA" modes (because ECDH is much faster).
Back to top
Follow SECRant for SEC Football News