Why does tls_version "TLS 1.2" from howsmyssl rate "Probably Okay" in Chrome on Windows 10 but "Bad" in IE11 on Windows 7?

I’m implementing an API endpoint based on howsmyssl to check the TLS version of clients then notify those clients about whether or not they passed the test. However, several clients have reported failing the test on our site … Continue reading Why does tls_version "TLS 1.2" from howsmyssl rate "Probably Okay" in Chrome on Windows 10 but "Bad" in IE11 on Windows 7?

How to get Outlook 2013 to encrypt using AES and not 3DES [migrated]

In my company we are exchanging emails with a government authority once a month and they require us to encrypt those emails with encryption algorithm AES-128, AES-192 or AES-256. For the purpose we did purchase an email digital id from Trustwave

The computer from which we are sending the emails is running Windows 7 and using Outlook 2013 as email client.

The authority sent us their certificates and I did install them and attached them to their contact in Outlook. Then I did import our newly purchased certificate in Outlook from Options > Trust Center > Email Security
and setup the required algorithm (AES-128).

All looks fine and now we try to send email to the authority but the email explicitly gets encrypted with 3DES algorithm …

Then I send encrypted email with the same settings to my colleague and the email is encrypted with the right algorithm – AES-128 …

I am not able to solve this problem in the last two weeks, I tried multiple times to reinstall all the certificates, to setup all possible different settings related to email encryption in Outlook, tried using The Bat email client but nothing solves the problem. Emails get explicitly encrypted with 3DES and the authority is not accepting our emails …

I decided to ask here so I am open to suggestions how to approach this problem…

Continue reading How to get Outlook 2013 to encrypt using AES and not 3DES [migrated]

What comes next after AES with DES and Seed32 issue? [on hold]

I had previously asked What’s after AES? if 3DES get BWAIN’d* out of existence?

Sweet32 is a BWAIN which compromises 3DES. That means that we are down to just AES. So, what happens if we get a BWAIN for AES?

The answer is Camellia and maybe chacha20-poly1305. But, these are quite rare. For example, the AWS ELB doesn’t appear to support either of them.

Should companies start looking to support (one or both of) these two ciphers?
By companies, I mean anyone and everyone. Since it takes a good amount of time to implement a new protocol or cipher on a bunch of systems, if tomorrow there is a problem with AES, then probably 99% of sites are out of luck.

For planning purposes, what sort of contingency is good for what to do about having only AES as the “acceptable” cipher? Management doesn’t like not having a contingency. TLS 1.3 has others in it, but it is still draft, meaning no/little support from major security appliances and load balancers. Even ChaCha and Camellia have little support from the major suppliers, and if they have support, it is likely only on their latest and greatest systems, not the 3-5 year old systems that many/most organizations have.

Does anyone have an actual plan? I haven’t seen PCI, NIST, SANS/CIS or any others come up with something. Does AWS for ELB? I haven’t seen it.

BWAIN = Bug With An Impressive Name

Continue reading What comes next after AES with DES and Seed32 issue? [on hold]