What Are Cipher Suites And Its Impact On Security

An introduction to Cipher Suites and why you should be eliminating weak cipher suites to improve security.

Configuration of cipher suites is often overlooked by many working in the web hosting and development industry. At Convesio we recently helped a client remove weak cipher suites and thus improving their security rating.

If you would like to continue to gain a deeper understanding of security protocols in client and server communications, it may be a worthwhile exercise to explore the concept of cipher suites as it pertains to network protocols like HTTPS, SMTP, SFTP, etc

In simple terms, Cipher Suites are a set of algorithms and security protocols that define how the server handles the incoming traffic from clients over a secure protocol i.e. during SSL/TLS Handshake.

When the client and server exchange information over an SSL/TLS connection, the client notifies the servers which cipher suite to use, the server matches the cipher suites with the list of cipher suites it has. If the cipher suite matches, a secure connection is established between client and server. If however, cipher suites do not match, the connection is refused by the server.

You can define the list of Cipher Suites on your server and it will impact which connections to accept as secure.

Structure Of A Cipher Suite

There are four parts to Cipher Suites

  • Authentication – verify server’s identity
  • Symmetric Encryption – confidentiality for bulk data transfer
  • Hashing Algorithm – used for data integrity
  • Key Exchange Protocol – to generate necessary keys

Here’s an example of what a cipher suite looks like:

ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE is the Key Exchange protocol
  • ECDSA is the Authentication protocol
  • AES128-GCM is the Encryption
  • SHA256 is the Hashing Algorithm

Before we move forward, it is important to mention that SSL is a deprecated way of securing client and server communication, these days the updated protocol is TLS that many HTTPS connections use.

TLS currently has 4 active versions that are TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3. For each version the way Cipher suites are defined are a little differently and they vary on how secure each version of cipher is.

Cloudflare - TLS Cipher Suite Support

How We Helped Our Client Eliminate Weak Cipher Suites

Security, Support, Scalability and Speed are the top four essentials for any modern hosting platform. At Convesio we continuously aim to improve on each four of those fronts. Recently we helped a client define which Cipher Suites his server should use for incoming traffic and which ones should be rejected.

We use Cloudflare Enterprise on most of our clients that host their WordPress websites with us and Cipher Suites come into play before a secure connection between the server and client is established. The list of Ciphers and the TLS protocols are thus controlled by Cloudflare Enterprise, we primarily use a combination of TLS 1.2 and TLS 1.3 protocols, as they have the widest range of ciphers suites supported and some of the ciphers have the strongest encryption.

In order to verify how secure your web server is, you can run a free test through SSLLabs.com and get a list of recommendations plus a rating for the settings you currently have.

SSL Labs Test

The SSLLabs.com test also lists the cipher suites in use and which one of them are weakest ciphers. Using these Ciphers a malicious connection can be established between your server and the attacker’s client. It is generally a good idea to use TLS 1.2 protocol and get rid of weakest cipher suites from the list.

Table of Contents
About The Author
Ahsan Parwez

Ahsan Parwez

Ahsan has more than a decade worth of experience in all areas of digital marketing. Combined with his knowledge of WordPress and Web hosting, he has helped companies scale in the WordPress ecosystem. As a Growth Marketing Manager at Convesio, his goal is to help educate prospects about what’s the best way to scale and optimize their WordPress websites.
Free Resource
Get Performance Tips In Your Inbox
Subscribe to our newsletter covering performance, innovation & running WordPress at scale.
Spotlight

The #1 Platform for Scaling WordPress

Convesio’s innovative container-based hosting delivers performance at scale, whether 1 or 10,000 users are visiting your website concurrently.

Recently our team of engineers worked with one of our clients to improve the security of their site. Our client hired a security company that ran a penetration test against their website and notified them that there are some weak ciphers in use.

Keeping true to our core values of going above and beyond to help our clients, John Schulz from our team studied how to remove cipher suites from Cloudflare Enterprise. There is currently no way to accomplish this in the Cloudflare Enterprise user interface but John was able to utilize Cloudflare’s API to define and update specific values within the SSL Advanced Certificate Manager or SSL for SAAS.

“We were able to utilize the Cloudflare API to update each zone to utilize our desired cipher suites. However, we were given a report with the necessary changes and upon the first attempt to make the updates, we received errors when copying the ciphers listed. We learned it is important to pay attention to the formatting when making the API request to Cloudflare for each zone’s ciphers. Cloudflare adhere’s to Google’s BoringSSL format and the ciphers must be referenced as such when making the request. After cross referencing our list of desired ciphers with Cloudflare’s documented cipher suites for the appropriate TLS versions, we were able to compose the correct request to successfully make the change.” – John Schulz

Our primary focus at Convesio is providing a scalable platform for websites built using WordPress. Part of the challenge of scalability includes keeping up with best practices of security, speed and support. This was just one case of many where we learned something new and helped our client achieve their desired goal.

Related Info
About The Author
Ahsan Parwez

Ahsan Parwez

Ahsan has more than a decade worth of experience in all areas of digital marketing. Combined with his knowledge of WordPress and Web hosting, he has helped companies scale in the WordPress ecosystem. As a Growth Marketing Manager at Convesio, his goal is to help educate prospects about what’s the best way to scale and optimize their WordPress websites.
Free Resource

Sign up for our newsletter

Focusing on WordPress performance, scalability and innovation.
Share This Post
Leave a Reply

Your email address will not be published.

Get WordPress Performance Tips
Subscribe to our monthly newsletter covering performance, innovation & running WordPress at scale.