What are cipher suites, forward secrecy? | Steps to limit cipher suites on Azure

Background

Your security team performed a security scan and found vulnerabilities on cipher suites on your site and requested you resolve them.

What does it mean?

Client browser communicates with your server through HTTPS encruption and SSL/TLS encryption and your server will support a range of encryption methods (cipher suites). Ciphers are algorithms, more specifically they’re a set of steps for performing a cryptographic function. Some cipher suites are more secure than others. You can read here to find out more on cipher suites here — https://www.thesslstore.com/blog/cipher-suites-algorithms-security-settings/

First step is to be able to find out the list of available cipher suites independently . If your site is reachable from the internet, you can check its the security using free scan website — https://www.ssllabs.com/

By default, the security of Azure App Service is considerably good

Default list of cipher suites

If you are using App Service, bad news, there is no way to further limit the cipher suites. You will need setup an Application Gateway infront of an App Service to allow customization.

Steps to limit the cipher suites on Azure Gateway

At your Application Gateway panel, go to the Listeners panel highlighted as in the screenshot:

Click on “Listeners” on the left menu

Click on Custom (changed)

Exclude those in red. You can include The ciphers in green.

Click on “Save”. Perform the scan again and you should see a reduced list.

The remaining list after customization

Conclusion

Security is important it usually break in the weakest link/layer and this should be part of the DevSecOps to scan your application regularly. Today’s strong cipher will become weak tomorrow. And a strong developer needs to be well-informed in every aspect of the application.