Is TLS 1.2 CBC based cipher suites are vulnerable to attacks even though cipher suites are in Schannel in Windows server 2019

Hi,

So, to answer your question, my answer is 'Yes', TLS 1.2 CBC ciphers are still potentially vulnerable, even with Schannel’s mitigations. If u remove them, u’re improving security, but u gotta make sure your clients can handle the stronger ciphers. If u’re running a modern environment, it’s probably worth it to ditch the CBC stuff and go full GCM. yeah, TLS 1.2 CBC cipher suites have had some known vulnerabilities in the past, like the BEAST and Lucky 13 attacks. But Windows Server 2019, through Schannel, has implemented some mitigations to reduce the risk of these attacks. So, while they’re not as vulnerable as they used to be, they’re still not the most secure option out there. If u’re super paranoid about security (and honestly, u should be), u might wanna avoid CBC-based ciphers altogether.

Now, if u remove those CBC-based cipher suites u listed, here’s what’s gonna happen u’re ditching the older, weaker ciphers, so u’re reducing the attack surface. That’s always a good thing, especially if u’re dealing with sensitive data. Some older clients or systems might not support the more modern cipher suites (like AES-GCM). If u disable CBC ciphers, those older systems might not be able to connect to your server. So, u gotta make sure all your clients are up-to-date and support stronger ciphers. CBC ciphers are a bit slower compared to AES-GCM because of the way they handle encryption. If u switch to GCM-based ciphers, u might actually see a performance boost. So, that’s a win-win. CBC ciphers are kinda on their way out. Modern security standards are pushing for AEAD ciphers like AES-GCM, which are more secure and efficient. By removing CBC ciphers, u’re aligning with modern best practices.

Hope that helps. If u’re still unsure, maybe test it in a staging environment first to see if anything breaks.

Rgds,

Alex