[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Defense in depth -- the Microsoft way (part 19): still no "perfect forward secrecy" per default in Windows 8/7/Vista/Server 2012/Server 2008 [R2]

Hi @ll,

on April 8, 2014 Microsoft published an update for Windows 8.1 and
Windows Server 2012 R2 (see <http://support.microsoft.com/kb/2929781>)
which enables "perfect forward secrecy" per default by reordering of
the TLS cipher suites.

Unfortunately Microsoft has not published corresponding updates for
Windows 8/Server 2012, Windows 7/Server 2008 R2 and Windows Vista/
Server 2008, despite numerous requests from its customers, although
these version support "perfect forward secrecy". For example, see

Fortunately it's dead simple to enable "perfect forware secrecy" in
Windows Vista and later versions: just change the order of the TLS
cipher suites in the registry entry


and reboot.

For Windows 7/Server 2008 R2/8/Server 2012 you can use the script
<http://home.arcor.de/skanthak/download/NT6_PFS.INF> to perform all
the necessary changes to enable PFS as well as TLS 1.2 and disable
some week algorithms/ciphers too.

You'll see the success when you visit <https://www.howsmyssl.com/>,
<https://www.ssllabs.com/ssltest/viewMyClient.html> or
<https://cc.dcsec.uni-hannover.de/> with Internet Explorer 8 and
later after the reboot.

have fun
Stefan Kanthak

JFTR: IPsec is able to use "perfect forward secrecy" for MANY years,
      see <http://support.microsoft.com/kb/252735>,
      <http://support.microsoft.com/kb/301284> and
      <http://support.microsoft.com/kb/816514> as well as