Spring TLS encryption clean up

2nd TLS encryption clean up

Another spring, another time to clean up our infrastructure, in preparation for the summer. Yes, like cleaning out a house. This time we have decided to say "to hell with compatibility" and have removed ALL known weak ciphers (including some that were considered state of the art last year).

Here we go again with this IT mumbo-jumbo...

Encryption ciphers are the "rules" by which two computers communicate over an encrypted connection. A basic cipher is "shift all letters one letter to the right". So "Hello" becomes "IFMMP". To any observer, the text stream becomes garbage, unless he knows the secret. It's an overly simplified explanation (that does not take into account the actual secret exchange) but you get the idea.

Ciphers removed include: All AES128 based ciphers and all DHE ciphers. At this rate, we'll run out of reliable ciphers to use next year :-P. Our initial tests show that there isn't any breakage (that wasn't there before, ie XP not supporting SNI)). We'll begin testing the new cipher list and if everything works out, we'll deploy it en mass on our infrastructure for all hosted websites. If you get an error when connecting to a website hosted by us, you are strongly advised to update your browser before letting us know that something is wrong.

Why this was needed.

Computer security relies on strong encryption. Without it, getting all secrets, starting from your password, to the communication, to your data, becomes a trivial task to any motivated attacker. The computer industry has always been the scapegoat of "good business practices". Computer administrators (in general) are more concerned about how their coffee tastes, than keeping up with technological advances. We don't like that. We strongly disagree with "if it ain't broken, don't fix it". If it ain't broken, you aren't trying hard enough. This includes keeping up with security news (you have seen all the twitter posts about urgent upgrades to fix problems, right?) and also includes staying ahead of the competition by offering the best the industry has to offer. If we break backwards compatibility, it's not our fault, it's the industry's fault for not keeping up with US.

So excited, what should I do now???

Stop hyperventilating, and relax. Unless you are seeing an error in your (outdated) browser, you will not even notice this change. If you do get an error, just before picking up the pitchfork and heading our way, update your browser first. That should (key word) solve your problem.