netsekure rng

Windows 7 includes support for TLS 1.1 and TLS 1.2. I’ve been running with enabled 1.2 support for a while now and no problems at all, so I figured I’d share how to enable it. You need to import these 4 reg keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000

This will allow Win7 to use TLS 1.1 and 1.2, but that will work for apps that don’t explicitly ask for the TLS version they want to use. IE is one of those that want to be in control, so you need to tell it explicitly that you want it to use the new versions of TLS. To do that, you need to check the 1.1 and 1.2 checkboxes under Tools->Internet Options->Advanced->Security.

After you’ve done that, one may wonder how to check if this actually works. You can go to one of the few TLS interop servers available on the net. Here are a few that I know of which support TLS 1.2:

• https://www.mikestoolbox.org/. This server will display the TLS version your browser uses right on the page
• https://tls.woodgrovebank.com/ – Microsoft’s TLS interop server
• http://tls.secg.org/ – Certicom’s interop server which shows you details about the entire handshake.

In general, you can check the page’s properties for the connection info. Going to Mike’s toolbox site IE shows “TLS 1.2, AES with 128 bit encryption (High); RSA with 1024 bit exchange”.

Hopefully enough people will support TLS1.2 soon enough so the world can move on : )

I recently installed a plugin for my blog to help with one of the daily tasks I do, only to find out that it is improperly coded, such that it requests resources using HTTP, even though I access my admin section through HTTPS. With all the latest findings on how insecure the web is and the CookieMonster tool by Mike Perry in the wild, this is not a risk I’m willing to accept. The developers of the plugin are completely unresponsive, so I figured I’ll just block my browser from loading mixed mode content (HTTP and HTTPS).

Here comes the fun part. I am a heavy Firefox user and use IE only occasionally. The problem is that Firefox doesn’t have such a feature. It has a dialog box warning you about mixed mode content, but it doesn’t prevent downloading plaintext content. It is rarely that I feel IE is doing much better than Firefox*, but in this case I have to give it the thumbs up, since it actually has a setting to disallow loading of insecure content.

After hunting around the web for a way to disable mixed mode content from loading in Firefox, the only thing I could find is an extension developed by Standford people – ForceHTTPS. Their paper is an informative read if you are not familiar with the problems with mixing content, but alas their extension does not work with the latest version of Firefox : (. I tried contacting them, but so far I haven’t gotten any response. I wish Firefox will include such a setting in the core browser, but if not, I might be forced to write a similar extension myself. If someone knows of other extensions that do this, let me know.

* After this year’s DefCon, I must say that IE has gained some points on its scoreboard when it comes to security.