BugTraq
Defense in depth -- the Microsoft way (part 19): still no "perfect forward secrecy" per default in Windows 8/7/Vista/Server 2012/Server 2008 [R2] Sep 06 2014 08:52PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

on April 8, 2014 Microsoft published an update for Windows 8.1 and
Windows Server 2012 R2 (see <http://support.microsoft.com/kb/2929781>)
which enables "perfect forward secrecy" per default by reordering of
the TLS cipher suites.

Unfortunately Microsoft has not published corresponding updates for
Windows 8/Server 2012, Windows 7/Server 2008 R2 and Windows Vista/
Server 2008, despite numerous requests from its customers, although
these version support "perfect forward secrecy". For example, see
<https://connect.microsoft.com/IE/feedback/details/796877/better-support
-for-perfect-forward-secrecy>

Fortunately it's dead simple to enable "perfect forware secrecy" in
Windows Vista and later versions: just change the order of the TLS
cipher suites in the registry entry

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Config
uration\Local\SSL\00010002]
"Functions"=multi:...

and reboot.

For Windows 7/Server 2008 R2/8/Server 2012 you can use the script
<http://home.arcor.de/skanthak/download/NT6_PFS.INF> to perform all
the necessary changes to enable PFS as well as TLS 1.2 and disable
some week algorithms/ciphers too.

You'll see the success when you visit <https://www.howsmyssl.com/>,
<https://www.ssllabs.com/ssltest/viewMyClient.html> or
<https://cc.dcsec.uni-hannover.de/> with Internet Explorer 8 and
later after the reboot.

have fun
Stefan Kanthak

JFTR: IPsec is able to use "perfect forward secrecy" for MANY years,
see <http://support.microsoft.com/kb/252735>,
<http://support.microsoft.com/kb/301284> and
<http://support.microsoft.com/kb/816514> as well as
<http://technet.microsoft.com/library/cc759504.aspx>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus