DO Ideas 2

Tighten up security on load balancers.

Digital Ocean load balancers currently accept TLS1.0 and ciphers with short keys which have been confirmed to be a security risk. Clients that use a load balancer for their application will most likely not pass security audits because of this.

TLS1.0
======
Load balancers currently still accept TLS1.0 which has been confirmed vulnerable to POODLE attacks as of December 2014. Only very old browsers do not support TLS1.1 and TLS1.2 (e.g. Internet Explorer 9 and below) which have a negligible market share by now (see, for example, https://help.salesforce.com/articleView?id=000220586&language=en_US&type=1).

All TLS1.0 cypher suites should be disabled.

TLS1.1 and TLS1.2
===============
These cipher suites still accept weak ciphers with keys shorter than 128 bits, which makes them vulnerable to birthday attacks. The affected suites are:

For TLS1.2:
* TLS_RSA_WITH_3DES_EDE_CBC_SHA
* DHE-RSA-DES-CBC3-SHA
* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

For TLS1.1:
* TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
* TLS_RSA_WITH_3DES_EDE_CBC_SHA

These should be disabled.

  • Daniel van den Berg
  • Sep 11 2018
  • Sep 11, 2018

    Admin Response

    Hello, We are actively reevaluating our LB TLS policies and we should have updates early next year, thanks for you feedback, it informs our discussions. Thanks
  • Attach files