1

I understand the TLS cipher suites using CBC mode are susceptible to timing attacks. From that understanding it seems that the cipher suites using GCM (CTR-based) are safe to use considering they don't need padding.

However, in Java, SunJSSE provider by default enables many cipher suites that are using CBC. And whether those cipher suites will be used or not are determined by the client preference.

While using Chrome and FireFox latest versions, I noticed the cipher suite used is AES_128_GCM.

Now, is it advisable to disable all the CBC related cipher suites in the server to ensure only GCM is used regardless of the client preferences? Is there any limitation with this approach of using only GCM related cipher suites?

Saptarshi Basu
  • 528
  • 5
  • 17

2 Answers2

3

Based on the useful comments above, some of the resources I found to provide an insight into the matter is as follows:

  1. TLS Support tells us which browser versions support which TLS versions. Since (as puzzlepalace mentioned) GCM was introduced in TLSv1.2, we get an idea as to what browser versions we'll miss out by supporting only GCM
  2. Qualys (as forest mentioned) shows some of the best SSL configured website and the cipher suites used. This also shows the cipher suites used by your browser. The best practices for TLS deployment and the recommended list of cipher suites are listed here. Finally, this table lists which browser versions support what.

In summary, all major browsers support TLS 1.2 since Oct, 2013 and therefore GCM.

Forward secrecy (ECDHE) is available from even before.

Saptarshi Basu
  • 528
  • 5
  • 17
0

In moz://a SSL Configuration Generator both "Modern" and "Intermediate" configurations contain ciphers suites which simultaneously assure the confidentiality and authenticity of data (AEAD) as GCM does, but not only GCM does. See Poly1305 and Encrypt-then-MAC (EtM) for details. In "Modern" mode only TLS 1.3 is enabled, where the standard contains only AEAD cipher. Only the "Old" configuration contains CBC ciphers. In this point of view if you want to support modern and intermediate client you do not have to support CBC ciphers. If backward compatibility is a must and you have to provide CBC ciphers always user cryptographic libraries and server applications support Encrypt-then-MAC extension for TLS or at least prefer AEAD ciphers over not AEAD ones as the well-configured clients do it and NIST suggests it in SP 800-52.

As the author (of this website) I would suggest to check TLS setting by Scanigma as all the criteria mentioned are checked, explained and graded by it.

Scanigma
  • 31
  • 4