{"id":144,"date":"2012-06-24T12:54:07","date_gmt":"2012-06-24T20:54:07","guid":{"rendered":"http:\/\/unmitigatedrisk.com\/?p=144"},"modified":"2012-06-28T08:28:38","modified_gmt":"2012-06-28T16:28:38","slug":"a-revised-look-at-the-new-windows-update-ssl-configuration","status":"publish","type":"post","link":"https:\/\/unmitigatedrisk.com\/?p=144","title":{"rendered":"A revised look at the new Windows Update SSL configuration"},"content":{"rendered":"<p>The other day I did a quick post about how <a href=\"http:\/\/unmitigatedrisk.com\/?p=116\">SSL was configure for Windows Update<\/a>, I thought I would double back and see if they have made any changes and <a href=\"https:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=www%2eupdate%2emicrosoft%2ecom&amp;s=65%2e55%2e200%2e139\">it looks like they have<\/a>.<\/p>\n<p>From looking at the <a href=\"https:\/\/www.ssllabs.com\/ssltest\/analyze.html?d=www%2eupdate%2emicrosoft%2ecom&amp;s=65%2e55%2e200%2e139\">SSL Labs results<\/a>\u00a0I notice a few changes:<\/p>\n<ol>\n<li>The servers are now indicating a cipher suite preference.<\/li>\n<li>The servers are now putting TLS suites above the SSL suites.<\/li>\n<li>The servers no longer support\u00a0TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA.<\/li>\n<\/ol>\n<div>Since they made some changes since the post we can assume the goal was to improve things, I think they have but it doesn&#8217;t entirely make sense to me the choices they have made, for example:<\/div>\n<div>\n<ol>\n<li>Why continue to support SSL 2.0 when no client that only supports SSL 2.0 has the WU client software on it.<\/li>\n<li>Why include more than one SSL cipher suite, if the goal is to enable the use of SSL 3.0 and the only clients to this server are based on SCHANNEL and CryptoAPI a single suite would be enough.<\/li>\n<li>If your going to support the RC4 cipher suites, why not prioritize them above the other suites so that they are resistant\u00a0to BEAST.<\/li>\n<li>Why remove TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, I am guessing its performance but\u00a0that is\u00a0surprising\u00a0since its not that much more expensive.<\/li>\n<\/ol>\n<p>We also see a few changes when browsing to <a href=\"https:\/\/www.update.microsoft.com\">https:\/\/www.update.microsoft.com<\/a>, unlike before when we browse from a client that\u00a0doesn&#8217;t\u00a0have a WU agent\u00a0available\u00a0on it (like XP \/w IE6 and no SP) we no longer get instructions on how to get patched we now get a blank page.<\/p>\n<p>Anyhow thats what I see today.<\/p>\n<p>Ryan<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The other day I did a quick post about how SSL was configure for Windows Update, I thought I would double back and see if they have made any changes and it looks like they have. From looking at the SSL Labs results\u00a0I notice a few changes: The servers are now indicating a cipher suite [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,4],"tags":[6],"class_list":["post-144","post","type-post","status-publish","format-standard","hentry","category-security","category-thoughts","tag-ssl"],"_links":{"self":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=144"}],"version-history":[{"count":0,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions"}],"wp:attachment":[{"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unmitigatedrisk.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}