I get a lot of this sort of thing:
“Hey, how come your site only gets a B grade on the SSL Labs test?”
They’re referring to my Have I been pwned? (HIBP) site and they’re right, it only scores a B grade:
The killer blow here is highlighted in orange – RC4. It’s a weak cipher by today’s terms and evidently it’s capped my grade lower than it would otherwise be if it was no longer supported. So I’d get a report from someone along these lines and have to explain why:
“HIBP is hosted on the Azure website server (now known as Web Apps) and SSL termination is upstream of the site itself therefore I have no control over the service”
Then we’d argue about the merits of the upsides of using Azure’s platform versus the downsides of RC4 support and how much risk it truly posed to a service of this nature. Regardless, RC4 support is not a good thing in today’s terms and it has to go. And it is going.
Today, many people got this email from Microsoft:
This is the beginning of the end for RC4! That’s enormously good news and like many others, I immediately headed out and plugged the test site into SSL Labs. Also like many others, I was left a bit confused by the result:
Coming improved TLS/SSL cryptography in Azure Web Apps still has RC4. https://t.co/d7Oj8dwV1W … Comments, @shanselman? @troyhunt?
— Hans Olav Stjernholm (@HansOlavS) June 1, 2015 So what’s actually changed?! The problem is one that has foiled many of us on the web for many years – caching. Run that report again now and you’ll quite likely see it come back with something more like this:
At last – an “A” rating on Azure websites! That puts them ahead of most banks when it comes to the security of the transport layer and that’s a very good result indeed. If you’re happy to serve everything from your domain over HTTPS then you can strengthen it further again with HSTS.
Of course per the email above, this won’t all take effect until later next month so do be conscious of that. Why not immediately? Because for some people, stuff will inevitably break. Yes, yes, there’s very little out there that still has a dependency on RC4. There was also very little out there that still had a dependency on SSL 3 but ask me how many POS terminals in a project I was working on died last year when Microsoft pulled support in the wake of POODLE. No, actually don’t ask me, the pain is still too raw and yes, there will be devices out there still dependent on massively old crypto bits and yes, many people will have no idea of their dependency on those bits until their stuff stops working. This is why there’s a test site and a notice period! Test your SSL things folks, that’s what testsslclient.trafficmanager.net is there for and it does represent the future state of Azure’s website / web apps PaaS offering.
Final thing – if you manage your own server in an IaaS model (i.e. you install and run your own IIS) then this doesn’t apply to you. In that scenario you manage your own SSL termination and it’s up to you to strengthen the implementation appropriately. Because of that, you wouldn’t still be running RC4 today anyway, right? :)