Cipher suites are sets of instructions on how to secure a network through SSL (Secure Sockets Layer) or TLS (Transport Layer Security). As such, cipher suites provide essential information on how to communicate secure data when using HTTPS, FTPS, SMTP and other network protocols. This information takes the form of algorithms and protocols that help determine how a web server secures a client’s web traffic. Cipher suites dictate which of these algorithms the server should use to make a secure and reliable connection. But it’s important to remember that cipher suites do not just ensure the security, but also the compatibility and performance of HTTPS connections. So, you should choose yours wisely.
Cipher suites come into play before a client application and server exchange information over an SSL/TLS connection. As noted by JSCAPE, the client application initiates what is known as an SSL handshake. Part of that process involves notifying the server which cipher suites it supports. The server receives that information and compares the cipher suites supported by the client application with the algorithms it supports. If and when it finds a match of supported methods, the server notifies the client application and a secure connection is established. If it doesn’t find a match, the server refuses the connection.
Because your web server will ultimately determine the cipher suite that will be used, it’s important that you prioritize the list of cipher suites you list on the server. In the section below, we’ll outline the component algorithms that make up a cipher suite, so you can better understand the function of the ciphers you list on your web server. Your choice will also likely be influenced by your users and the technologies they are using.
Per Outspoken Media, there are four components that make up a cipher suite. These are as follows:
Put together, here is an example of a cipher suite name: DHE_RSA_AES256_SHA256. This particular cipher suite uses DHE for its key exchange algorithm, RSA as its authentication algorithm, AES256 for its bulk data encryption algorithm, and SHA256 for its Message Authentication Code (MAC) algorithm.
Several network-level vulnerabilities have emerged in the past. Among them were SSL/TLS-based vulnerabilities like Heartbleed and POODLE. To mitigate these vulnerabilities, organizations should use different versions of available cipher suites or disable the acceptance of vulnerable suites. For example, to defend against POODLE, SSLv3 needs to be disabled. Disabling cipher suites can sometimes result in compatibility issues, but JSCAPE points out that most of the major web browsers update their cipher suites following the release of an SSL/TLS-based vulnerability anyway. Organizations should therefore advise web users to install the latest software patches in order to avoid compatibility issues.
Of course, cipher suites are just one method of security that organizations should employ. Companies also need to make sure they defend the SSL/TLS certificates against digital attackers. To achieve this level of protection, organizations should consider investing in a solution that helps them automatically discover all of their encryption keys and certificates, monitor those assets for signs of misuse, revoke a compromised asset and renew certificates before their expiration period arrives.
Note: This updated post was originally published on March 19, 2019.