Hello @John Umman ,
I understand you've some questions regarding CBC ciphers and its usage in Azure services, which I've tried to answer below:
What is the timeline for MS to move away from CBC based ciphers?
It actually depends on each product as the impact of this change need to be considered before making any updates.
Does MS consider their implementation of CBC based ciphers are secure?
Microsoft takes several security measures to ensure the safety of CBC ciphers in Azure services.
Firstly, Microsoft regularly monitors and updates the security of its services to ensure that they meet industry standards and best practices. This includes regular security assessments, penetration testing, and vulnerability scanning.
Secondly, Microsoft uses Transport Layer Security (TLS) to encrypt data in transit between Azure services and customers. TLS provides strong authentication, message privacy, and integrity, which enables detection of message tampering, interception, and forgery along with interoperability, algorithm flexibility, and ease of deployment and use.
Lastly, Microsoft is working on providing users with the ability to enable or disable TLS/SSL for connections to Azure services. This will allow users to customize their security settings based on their specific needs.
Is there a plan to provide users ability to enable or disable ciphers in the future for these services?
Yes, there is a plan to provide users ability to enable or disable ciphers in the future for these services. And work is in progress to add support for various services.
For example:
App Service: https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html
Azure App proxy: https://feedback.azure.com/d365community/idea/f9a84180-b925-ec11-b6e6-000d3a4f0789 --> in the roadmap.
Same for Azure Front Door --> It's in the roadmap.
Can MS provide a comprehensive list of all Azure based resources (e.g. Azure Front door, azure Website etc ) which uses CBC and any timelines to move to more secure algorithms.
I believe we don't have such a documented list available, but I will share this feedback to Azure backend teams and see how we can get this added.
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.