Regarding CBC ciphers and its usage in Azure services

John Umman 0 Reputation points
2023-09-28T13:44:05.9866667+00:00

Microsoft products such as Azure Front Door, Azure web apps, Azure app proxy all uses TLS cipher suites with CBC. Most of the cyber security tools flag ciphers with CBC as weak (e.g. SSL Labs). I wanted to know the following;

  1. What is the timeline for MS to move away from CBC based ciphers ?
  2. Does MS consider their implementation of CBC based ciphers are secure ?
  3. Is there a plan to provide users ability to enable or disable ciphers in the future for these services ?
  4. Can MS provide a comprehensive list of all Azure based resources (e.g. Azure Front door, azure Website etc ) which uses CBC and any timelines to move to more secure algorithms.
Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
677 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,766 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GitaraniSharma-MSFT 49,596 Reputation points Microsoft Employee
    2023-10-09T15:07:27.3933333+00:00

    Hello @John Umman ,

    I understand you've some questions regarding CBC ciphers and its usage in Azure services, which I've tried to answer below:

    What is the timeline for MS to move away from CBC based ciphers?

    It actually depends on each product as the impact of this change need to be considered before making any updates.

    Does MS consider their implementation of CBC based ciphers are secure?

    Microsoft takes several security measures to ensure the safety of CBC ciphers in Azure services.

    Firstly, Microsoft regularly monitors and updates the security of its services to ensure that they meet industry standards and best practices. This includes regular security assessments, penetration testing, and vulnerability scanning.

    Secondly, Microsoft uses Transport Layer Security (TLS) to encrypt data in transit between Azure services and customers. TLS provides strong authentication, message privacy, and integrity, which enables detection of message tampering, interception, and forgery along with interoperability, algorithm flexibility, and ease of deployment and use.

    Lastly, Microsoft is working on providing users with the ability to enable or disable TLS/SSL for connections to Azure services. This will allow users to customize their security settings based on their specific needs.

    Is there a plan to provide users ability to enable or disable ciphers in the future for these services?

    Yes, there is a plan to provide users ability to enable or disable ciphers in the future for these services. And work is in progress to add support for various services.

    For example:

    App Service: https://azure.github.io/AppService/2022/10/11/Public-preview-min-tls-cipher-suite.html

    https://techcommunity.microsoft.com/t5/apps-on-azure-blog/min-tls-cipher-suite-preview-now-available-on-azure-portal-and/ba-p/3804134

    Azure App proxy: https://feedback.azure.com/d365community/idea/f9a84180-b925-ec11-b6e6-000d3a4f0789 --> in the roadmap.

    Same for Azure Front Door --> It's in the roadmap.

    Can MS provide a comprehensive list of all Azure based resources (e.g. Azure Front door, azure Website etc ) which uses CBC and any timelines to move to more secure algorithms.

    I believe we don't have such a documented list available, but I will share this feedback to Azure backend teams and see how we can get this added.

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.