Friday, 20 March 2015

Default security config of IE11 on Windows 8.1 is stronger than Chrome or Firefox

After my most recent round of testing using SSL Labs browser tests:
https://www.ssllabs.com/ssltest/viewMyClient.html

I was surprised to find that IE11 one Windows 8.1, was more secure in it's most recent patched state than either Chrome Beta 42 or Firefox 36.01.

Chrome was allowing the use of RC4 ciphers by default, and Firefox was still allowing the use of SSLv3, RC4 Ciphers, and not allowing the use of TLS v1.2.

I fixed Chrome by adding the following to the launch shortcut:
  • --cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007


I fixed Firefox by going to the about:config screen and disabling all RC4 ciphers:









I also set the minimum TLS version to 1 (v1.0) and maximum to 3 (v1.2):














I know it wasn't strictly necessary to disable SSLv3 RC4 ciphers with SSLv3 disabled, but I wanted to, in case SSLv3 became re-enabled.

Thanks to king_julian for the help with Chrome.

Thanks to //Crash Mag for the help with Firefox.

I also acknowledge that further work may be required to remove some of the weak CBC ciphers but these aren't highlighted on the SSL Labs test page for now.

No comments:

Post a comment