Strengthening HTTPS on the client side (under Windows)

Brother

Brother

Professional
Messages
2,590
Reaction score
533
Points
113
shqhvj-gwvvhj4vck87h6garfra.jpeg


As part of the Gossite Monitor project, we regularly come across insufficiently secured and even openly “leaky” web servers, and administrators often ignore reports of problems and vulnerabilities found. Since these servers host government sites, you simply cannot refuse to visit them. What can a visitor to such sites oppose to the carelessness of their administrators on the client side?

Microsoft has a rather peculiar understanding of the support for the encrypted HTTPS protocol in its operating system. If Mozilla brought support for TLS version 1.3 to Firefox back in the days of Windows XP, then Microsoft began to support it at the OS level only in Windows 10. The corporation has no less peculiar idea of the range of supported cipher suites. Fortunately, the situation can be improved by tweaking hidden and not-so-hidden Windows settings.

Let's start with the basics.

1. Most programs that access the Internet under Windows OS use the functionality and settings of the operating system (Secure Channel - SChannel) for this. Browsers, including Google Chrome, email and FTP clients, update utilities for some Adobe Creative Suite, etc. etc. - they all go online via SChannel. The only exceptions are programs that include their own crypto libraries for these purposes, for example, Mozilla Firefox.

But there is a nuance: If you are using an officially unsupported OS version of the program, it can work with SChannel in a peculiar way. For example, there is a "popular" way to install Windows Mail from Windows Vista in Windows 7, from which Microsoft for some reason cut this mail client. And then a surprise awaits us: Windows Mail in Windows 7 will only be able to work with cipher suites from Windows Vista (that is, it will not be able to work with any AEAD cipher suite), although in theory it would have to rely on SChannel from Windows 7.

2. When negotiating the parameters of the TLS connection, the server should take into account the client's preferences regarding the cipher suites and elliptic curves used. But if these preferences are not set, and the server administrator's arms grow out of the place where normal people's legs grow, our HTTPS connection may be "protected" by SSL 2.0, even though both sides support TLS 1.3.

SChannel settings are contained in the HKLM \ System \ CurrentControlSet \ Control \ SecurityProviders \ SChannel registry branch and most of them have a meaningful name.

Sections Ciphers, Hashes, etc., the Enabled parameter can take values of the DWORD type: ffffffff - enabled, 00000000 - disabled.

The Diffie-Hellman section is responsible for the DHE key exchange algorithm, the ECDH section is for ECDHE (cipher suites based on the DH and ECDH key exchange algorithm, i.e. without a one-time DH key, Windows does not support), the PKCS section is for RSA.

The ServerMinKeyBitLength parameter of the Diffie-Hellman section can be DWORD values corresponding to the minimum length of the DH-group module: 00000400 - 1024 bits, 00000800 - 2048 bits, 00000c00 - 3072 bits, and 00001000 - 4096 bits.

The Protocols section contains the Client and Server subsections that specify separate settings for the computer acting as the client and the server. The Enabled and DisabledByDefault parameters can take values of the DWORD type: 00000000 - no, 00000001 - yes. Don't ask what the logic is, just set consistent values for both parameters.

Thus, we can specify the settings of the supported transport layer security protocols and their versions and the list of supported cryptographic algorithms. We can also explicitly set the supported cipher suites and elliptic curves in the HKLM \ Software \ Policies \ Microsoft \ Cryptography \ Configuration \ SSL \ 00010002 branch containing the Functions string parameter and the EccCurves multi-string parameter (Windows 10 and 11 only).

The first parameter contains a list of allowed cipher suites, separated by commas (without spaces) according to a specific format, so it is better to set it through a group policy provided with the appropriate help: Computer Configuration / Administrative Templates / Network / SSL Settings / Order of SSL Cipher suites (in Depending on the version of Windows, the name of the policy may vary slightly). The second (Windows 10 and 11 only) in Group Policy is called "ECC Curve Order" and specifies the list and preference order of allowed elliptic curves.

As a result, we will receive, for example, the following values (do not rush to import them into the registry):
Code: 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]

"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]

"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]

"Enabled"=dword:ffffffff

"ServerMinKeyBitLength"=dword:00000800

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

"Enabled"=dword:00000000

"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"Enabled"=dword:ffffffff

"DisabledByDefault"=dword:00000000

For Windows 7-8.1

Code: 
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

"Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"

For Windows 10-11

Code: 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server]

"Enabled"=dword:ffffffff

"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

"Functions"="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256"

"EccCurves"=hex(7):63,00,75,00,72,00,76,00,65,00,32,00,35,00,35,00,31,00,39,00,00,00,6e,00,69,00,73,00,74,00,50,00,35,00,32,00,31,00,00,00,6e,00,69,00,73,00,74,00,50,00,33,00,38,00,34,00,00,00,6e,00,69,00,73,00,74,00,50,00,32,00,35,00,36,00,00,00,00,00

These settings allow the use of only TLS protocol version 1.2 or higher in SChannel, only AEAD cipher suites (based on the AES encryption algorithm, ChaCha20 is not supported by Windows client versions), a group module of at least 2048 bits when using the DHE key agreement algorithm and only Curve25519 elliptic curves , NIST P-521, NIST P-384, and NIST P-256.

Some of the above settings become available only after applying the appropriate update for the OS, information about which for unsupported systems may already be removed from the Microsoft website (such as, for example, KB3174644 and its replacements, which supposedly exist only for Windows 8 and higher).

And now about why the above settings should not be thoughtlessly imported into the registry. SChannel settings affect all programs that rely on it, including mail clients, and the settings of the mail server you use can turn out to be very "conservative" and in order not to be left without mail, you will have to add some less stable cipher suite to the end of our beautiful list.

For ease of configuration, you can use the IIS Crypto utility, which, alas, does not fully support Windows 10 and higher. It is also worth paying attention to the "Only use FIPS algorithms" option, that is, use only "strong" algorithms approved by the Federal Information Processing Standard (FIPS 140), such as the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite, all of whose components are considered weak or vulnerable today.

This is where our possibilities for configuring SChannel are exhausted, more subtle TLS settings may be available already in a specific program, one of which we will talk about further - the Mozilla Firefox browser.

Firefox uses its own crypto library - Network Security Services (NSS), so the SChannel settings for it are like a dead poultice, but by entering about: config in the address bar we will get into a world full of adventures of fine settings, including those related to TLS.

We are interested in 3 sections: security.ssl, security.ssl3 and security.tls Most of the options have self-explanatory names and obvious options: true / false, but some need some clarification (which Mozilla did not bother to provide).

security.tls.version.enable-deprecated true / false - enables or disables, in principle (other settings also affect this) support for TLS versions 1.0 and 1.1

security.tls.version.min, security.tls.version.max and security.tls.version.fallback-limit 0/1/2/3/4 0 is SSL 3.0 and 4 is TLS 1.3. The first parameter specifies the minimum supported version of the encryption protocol, the second - the maximum, the third - the minimum version that the browser can agree to if the version used is not negotiated with the server.

Unfortunately, I could not find any official information about the security.tls.hello_downgrade_check parameter Judging by its name and the default value of true, this is an analogue of Fallback Signaling Cipher Suite Value on the client side, and judging by unofficial information, it is quite the opposite. If anyone can suggest a link to official information on this matter, I would be grateful.

PS: the collective mind helped to understand what was the matter in the comments clarified the situation: this is an analogue of Fallback SCSV, embedded in TLS 1.3, in the implementation of which there was a mistake in Firefox, so it was advised to disable it, which today (after fixing the error) should not be done anymore ...

By configuring the OS and the browser, you can close most of the "holes" in the servers configured by krivoruk admins, and to check what you yourself have mishandled the settings, there are, for example, services such as How's My SSL? and SSL Client Test.
 
You must log in or register to reply here.

Similar threads

BadB
Can I run headless Chrome with custom TLS fingerprints without Puppeteer Extra — and what libraries allow this in 2025?
Replies
0
Views
185
BadB
BadB
S
Introduction to the vulnerabilities of legacy encryption protocols for card data theft
Replies
0
Views
377
Student
S
Mutt
Implementation of encryption according to PCI DSS
Replies
0
Views
494
Mutt
Mutt
S
Worse than a flood, scarier than a fire: How to prepare your backups for ransomware
Replies
0
Views
608
Student
S
B
ZeroTrace Stealer 13 updated
Replies
1
Views
463
adrian paratta
A
Back
Top