Solved How to disable RC4 Ciphers in TLS?

[Callender]

I'm not sure if this is the correct section for this question but anyway....

Having read this article:

Microsoft Giving .NET Users The Option to Shed RC4

Then this one:

Security Advisory 2868725: Recommendation to disable RC4

It leaves me slightly confused on how to disable RC4 on a home based Windows 7 machine.

I see the following advice:

How to Completely Disable RC4
Clients and Servers that do not wish to use RC4 ciphersuites, regardless of the other party's supported ciphers, can disable the use of RC4 cipher suites completely by setting the following registry keys. In this manner any server or client that is talking to a client or server that must use RC4, can prevent a connection from happening. Clients that deploy this setting will not be able to connect to sites that require RC4 while servers that deploy this setting will not be able to service clients that must use RC4.

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  • "Enabled"=dword:00000000

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  • "Enabled"=dword:00000000

• [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  • "Enabled"=dword:00000000

That seems to confilct with the advice in this article:


https://support.microsoft.com/kb/245030



Notes

• The Ciphers key should contain no values or subkeys

(Or are they saying that by default the Ciphers should be empty) and that modifying this key will provide the fix?


If anyone has made the modifications and can provide a registry key to import please post!


Is it a good enough fix to ignore all of the above and just make the following browser settings changes?

 

[Callender]

Solved - disable weak cyphers

Solved the problem myself. Here's how:

Important: Backup the following registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Save the attached file as a PowerShell script (with the .ps1 extension) and run it.

View attachment DisableWeakCiphers.txt

Results:



Weak cyphers are now disabled

Strong cyphers are enabled

Protocols:

 

[chrysalis]

Nice last post, assuming it affects IE.

I suggest you disable all rc4 tho and now (especially with poodle) also sslv3.

so here is may altered file.

 

[Callender]

Disable RC4 and SSLv3

Nice last post, assuming it affects IE.

I suggest you disable all rc4 tho and now (especially with poodle) also sslv3.

so here is may altered file.

Well I was just looking into a script to disable SSLv3 this week and didn't know about the advice to disable RC4 so thank you very much indeed! I have made use if your script. (Disable RC4 is what the original post was about)

As far as i know it takes care of windows and in theory browsers including IE but it wouldn't hurt to open IE settings and set it to disabled there - just to be on the safe side.

Here's a few testers anyway:

SSL/ TLS Tests

Just use the two SSL/ TLS tester links.

Edit: I'd sorted out the Poodle vulnerability this week but great suggestion anyway!

 

[chrysalis]

I sadly found out rc4 is needed for youtube, google only support 2 ciphers on googlevideos, rc4 and a new gcm cipher which isnt in any major browsers yet, at least its not in IE and firefox, might be in chrome.

But more bad news is these registry tweaks seem to do absolutely nothing in IE11, e.g. I disabled the AES ciphers, ran ssllabs browser test and it reports AES in use, although its possible that test just assumes its available due to browser version as it does run very fast but youtube should have been broken when I disabled RC4 and was not. I may do more tests later using one of my websites. Not confirmed in outlook yet if affects ciphers in use.

https://news.ycombinator.com/item?id=7977167

Of course it is at least trivial to disable sslv3 in the IE options pages. But other microsoft applications its not so easy.

 

[Callender]

Insecure Cipher Suites

My knowledge on this is pretty sketchy - hence the original question.

This is interesting: Disabling the RC4 Cipher | Windows content from Windows IT Pro

Tested secure connection to Youtube with the following registry settings applied:

View attachment DisableWeakCiphers.txt

View attachment SSL Cipher tweak RC4 removed.txt

View attachment SSL Cipher Preferred Order.txt

Disabled RC4 in browser:



Can still get a secure connection to Youtube:



I suspect that registry settings take care of weak cyphers in windows but browsers need tweaking separately. Of course that could be entirely wrong!