- Thread Author
-
- #1
A question that I could not seem to find a direct answer to:
I have IE8 32 and IE8 64 running on WIN7 64 with Norton Internet Security 2010. Both show a cipher strength of 256 under Help/About. When I run a cipher test on a site like Fortify.net it shows both as running a 128 cipher, not 256. I have tried different adjustments to TLS and SSL settings as well as Security Level and I tried using Compatibility Mode with the same result.
PC is running fine and don't have any issues with accessing networks or Banking sites but I find this scenario very peculiar and frankly annoying. Is there's something I should adjust settings wise? Does IE8 revert to 128 under certain circumstances? Why is IE8 not using a 256 cipher when it says it is 256?
I have IE8 32 and IE8 64 running on WIN7 64 with Norton Internet Security 2010. Both show a cipher strength of 256 under Help/About. When I run a cipher test on a site like Fortify.net it shows both as running a 128 cipher, not 256. I have tried different adjustments to TLS and SSL settings as well as Security Level and I tried using Compatibility Mode with the same result.
PC is running fine and don't have any issues with accessing networks or Banking sites but I find this scenario very peculiar and frankly annoying. Is there's something I should adjust settings wise? Does IE8 revert to 128 under certain circumstances? Why is IE8 not using a 256 cipher when it says it is 256?
- Thread Author
-
- #2
I found an interesting post on another website by a Mr. Chris R. Chapman. The author explains what I had guessed about this situation.
Today, a friend remarked to me that according to an SSL framecheck site he uses (Fortify SSL Check) his 64–bit Win7 + IE8 configuration was registering as 128 bit AES by default, and not – as he anticipated – 256 bit AES (as FireFox does, for example).
This is true and by design: The IE team made a conscious decision to trade off cipher strength for speed, since 128 bits is sufficient for securing most channels reliably and not impact speed on HTML-heavy sites. However, what if you do want 256–bit AES cipher strength as the default for securing IE’s channel? Fear not – here’s the resolution I was able to surface:
So IE8 does indeed default to a 128 cipher the vast majority of the time regardless of the 256 cipher listing in HELP/ABOUT, unlike other browsers such as Firefox. Curious as to people's thoughts on this?
Today, a friend remarked to me that according to an SSL framecheck site he uses (Fortify SSL Check) his 64–bit Win7 + IE8 configuration was registering as 128 bit AES by default, and not – as he anticipated – 256 bit AES (as FireFox does, for example).
This is true and by design: The IE team made a conscious decision to trade off cipher strength for speed, since 128 bits is sufficient for securing most channels reliably and not impact speed on HTML-heavy sites. However, what if you do want 256–bit AES cipher strength as the default for securing IE’s channel? Fear not – here’s the resolution I was able to surface:
- Launch “Edit Group Policy” from the Start menu.
- Navigate to Computer Configuration—>Administrative Templates—>SSL Configuration Settings via the treeview control.
- Note that in the right pane, the entry is not enabled – double-click the entry to bring up the edit dialog and select the “Enable” radio button.
- In the text box under Options on the left side, paste-in the comma-delimited list from the following file: Link Removed due to 404 Error
- Click OK and close off the policy editor dialog.
- Reboot.
- Navigate to the Fortify site and verify that AES 256 is your default cipher strength.
TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA
to:
TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
Enjoy responsibly.
So IE8 does indeed default to a 128 cipher the vast majority of the time regardless of the 256 cipher listing in HELP/ABOUT, unlike other browsers such as Firefox. Curious as to people's thoughts on this?