I\'m currently in the process of compiling a Ciphersuite policy to be used on al

Question

I'm currently in the process of compiling a Ciphersuite policy to be used on all of our new WS 12 & IIS 8.5 web servers. In the past I've always manually applied the registry keys into SChannel but I've come across the handy tool, IIS Crypto.

I always intended to disable SSLv3 and have been wanting to do this for quite some time. The announcement of POODLE has enabled me to finally push through and get this protocol disabled.

I've read that the vulnerability is apparent with CBC ciphers when used with SSLv3. With this in mind, in the Cipher Suite Order list within IIS Crypto, is it okay to leave cipher suites enabled that do use CBC as long as SSLv3 is disabled in the Protocols list?

Thanks.

Explanation / Answer

Yes, it is ok to have CBC ciphersuites in the list as long as SSLv3.0 is disabled. The issue is not the CBC mode itself, but the SSLv3.0 specification for the padding format. The padding format in TLSv1.0 is more restrictive, so the malleability required to mount the POODLE attack no longer exists.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.