If you would like to continue to gain a deeper understanding of security protocols in client and server communications, it may be a worthwhile exercise to explore the concept of cipher suites as it pertains to network protocols like HTTPS, SMTP, SFTP, etc
In simple terms, Cipher Suites are a set of algorithms and security protocols that define how the server handles the incoming traffic from clients over a secure protocol i.e. during SSL/TLS Handshake.
When the client and server exchange information over an SSL/TLS connection, the client notifies the servers which cipher suite to use, the server matches the cipher suites with the list of cipher suites it has. If the cipher suite matches, a secure connection is established between client and server. If however, cipher suites do not match, the connection is refused by the server.
You can define the list of Cipher Suites on your server and it will impact which connections to accept as secure.
Structure Of A Cipher Suite
There are four parts to Cipher Suites
- Authentication – verify server’s identity
- Symmetric Encryption – confidentiality for bulk data transfer
- Hashing Algorithm – used for data integrity
- Key Exchange Protocol – to generate necessary keys
Here’s an example of what a cipher suite looks like:
- ECDHE is the Key Exchange protocol
- ECDSA is the Authentication protocol
- AES128-GCM is the Encryption
- SHA256 is the Hashing Algorithm
Before we move forward, it is important to mention that SSL is a deprecated way of securing client and server communication, these days the updated protocol is TLS that many HTTPS connections use.
TLS currently has 4 active versions that are TLS 1.0, TLS 1.1, TLS 1.2 and TLS 1.3. For each version the way Cipher suites are defined are a little differently and they vary on how secure each version of cipher is.
How We Helped Our Client Eliminate Weak Cipher Suites
Security, Support, Scalability and Speed are the top four essentials for any modern hosting platform. At Convesio we continuously aim to improve on each four of those fronts. Recently we helped a client define which Cipher Suites his server should use for incoming traffic and which ones should be rejected.
We use Cloudflare Enterprise on most of our clients that host their WordPress websites with us and Cipher Suites come into play before a secure connection between the server and client is established. The list of Ciphers and the TLS protocols are thus controlled by Cloudflare Enterprise, we primarily use a combination of TLS 1.2 and TLS 1.3 protocols, as they have the widest range of ciphers suites supported and some of the ciphers have the strongest encryption.
In order to verify how secure your web server is, you can run a free test through SSLLabs.com and get a list of recommendations plus a rating for the settings you currently have.
The SSLLabs.com test also lists the cipher suites in use and which one of them are weakest ciphers. Using these Ciphers a malicious connection can be established between your server and the attacker’s client. It is generally a good idea to use TLS 1.2 protocol and get rid of weakest cipher suites from the list.