SSL and TLS play critical roles in securing data transmission over the internet, and AES-256 is integral in their most secure configurations. The original standard was known as Secure Sockets Layer (SSL). Although it was replaced by Transport Layer Security (TLS), many in the industry still refer to TLS by its predecessor’s acronym. While TLS can be relied on for securing information at a high level—such as US Government TOP SECRET data—improper or outdated implementations of the standard may not provide much security.
Variations in which cipher is used in TLS impact how secure TLS ultimately is. Some ciphers are fast but insecure, while others are slower, require a greater amount of computational resources, and can provide a higher degree of security. Weaker ciphers—such as the early export-grade ciphers—still exist, but they should no longer be used.
The Advanced Encryption Standard (AES) is an encryption specification that succeeded the Data Encryption Standard (DES). AES was standardized in 2001 after a five-year review and is currently one of the most popular algorithms used in symmetric-key cryptography. It is often seen as the gold standard symmetric-key encryption technique, with many security-conscious organizations requiring employees to use AES-256 for all communications. It is also used prominently in TLS.
AES has been available in most cryptographic libraries for a long time. It became available in OpenSSL in 2002 with v0.9.7. OpenSSL is the foundation of most SSL services in UNIX and Linux environments, such as that used by LuxSci. GPG, the open source implementation of PGP, also includes an AES-256 option.
This article discusses AES, its role in TLS, which web browsers and email programs support it, and how you can ensure that you only use 256-bit AES encryption for communications that require a high level of security.
How secure are AES-256 and AES-128?
AES is Federal Information Processing Standard (FIPS) certified, and there are currently no known non-brute force attacks that work directly against AES. However, there are some side-channel timing attacks on the processing of AES. These are not feasible over a network environment and don’t apply to SSL in general. Because of this, AES is considered robust enough to protect secret government information:
The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.”
Out of the three different key lengths, AES-256 offers a higher degree of security than the 128-bit and 192-bit versions of the standard.
The Beast Attack and TLS-secured websites
When TLS is used to protect website traffic (as opposed to IMAP, SMTP, encryption of files, etc.), an attack against it is known as The Beast. This attack makes it possible for people with access to a trusted location on your network to break into your TLS session and eavesdrop on your communications.
Thankfully, The Beast attack can easily be prevented. All you have to do is use TLS v1.1+ ciphers. This is why The Beast is no longer considered a critical attack vector. See also:
How long will AES-256 remain suitable for security?
The rise of quantum computing has caused a stir in the security community, with fears that it will render many of our security algorithms useless. While quantum computing looks like it will change the landscape regarding public-key algorithms, it is not believed to have significant impacts on algorithms like AES-256 soon.
The biggest quantum computing threat against AES is currently considered to be Grover’s algorithm. It is theorized to be able to perform a brute-force key search using quadratically fewer steps than required in classical computing. The implication is that an attacker with access to a quantum computer may be able to successfully attack a cipher with a key twice the length of what would generally be possible in classical computing.
However, the expense of quantum hardware and real-world complications of using Grover’s algorithm mitigate the threat of these attacks. NIST states that “… AES 128 will remain secure for decades to come. Furthermore, even if quantum computers turn out to be much less expensive than anticipated, the known difficulty of parallelizing Grover’s algorithm suggests that both AES 192 and AES 256 will still be safe for a very long time.”
Currently, there is no great rush to move away from AES to other symmetric key algorithms.
How is the cipher chosen in an SSL or TLS session?
Generally, when an SSL client, such as an email program or web browser, connects to a server and wishes to use SSL or TLS, the client sends the server a list of encryption ciphers it supports. The server then goes through the list and chooses the first match it supports. Usually, the client orders the list with the most secure methods first so that the most secure method supported by both the client and server is selected. Sometimes, the client orders the list based on other criteria to make a compromise between security and speed. This can result in a sub-optimal cipher being chosen.
Most modern web and email servers that support TLS encryption will have a wide range of different encryption techniques that they support. These can vary from 128-bit RC4, to 256-bit AES, to others. This range of options allows users with old or broken software to still take advantage of encryption, even if it is weaker than what is considered ideal in many situations.
Additionally, most companies that provide security services do not permit techniques that are deemed weak and can be broken easily. If you are connecting to a reputable service provided over TLS, the type of encryption will almost certainly be determined by your client program (i.e., email program or web browser), based on the options listed by the server.
What encryption techniques are supported by modern web browsers?
The latest versions of most modern browsers should support appropriate encryption algorithms.
You can check out whether your web browser uses up-to-date security practices by visiting:
If it says “Probably Okay,” it means that no security problems could be detected. If it says “Improvable” or “Bad,” your browser may be using an outdated version of TLS or have other security issues. In this case, you need to update to the latest version of your browser or switch to a browser like Firefox or Chrome that is actively being developed.
What encryption techniques were supported by legacy web browsers?
Before AES support became universal for older web browsers, we analyzed cipher support to see which ones supported AES. For posterity, we include this information here:
Web Browser |
Operating System | Best Cipher | Verdict? |
Native Android Browser (LG G3) | Android v4.4.2+ | AES 256-bit | Good! |
Chrome v39+ | Android v4.4.2+ | AES 256-bit | Good! |
Firefox Mobile v8+ | Android | AES 256-bit | Good! |
Safari | iOS v8+ (iPhone/iPad/etc.) | AES 256-bit | Good |
Safari | iOS v5.0.1 | AES 128-bit | Good |
Safari | iOS v2.2 | AES 128-bit | Good |
Silk | Kindle Fire | RC4 128-bit | Terrible |
Firefox v35+ | Windows XP & Vista, Mac OSX | AES 256-bit | Good! |
Firefox v8+ | Windows XP & Vista, Mac OSX | AES 256-bit | Good! |
Firefox v3.0.5 | Windows XP & Vista, Mac OSX | AES 256-bit | Good! |
Safari v8+ | Windows Vista/7, Mac OSX | AES 256-bit | Good |
Safari v5.1.2 | Windows Vista/7, Mac OSX | AES 128-bit | Good |
Safari v3.2.1 | Windows Vista, Mac OSX | AES 128-bit | Good |
Safari v3.2.1 | Windows XP | RC4 128-bit | Terrible |
Chrome v40+ | Windows Vista/7, Mac OSX | AES 256-bit | Good! |
Chrome v15+ | Windows Vista/7, Mac OSX | AES 256-bit | Good! |
Chrome v1.x | Windows Vista | AES 128-bit | Good |
Chrome v1.x | Windows XP | RC4 128-bit | Terrible |
Internet Explorer v11 | Windows 7 | AES 256-bit | Good |
Internet Explorer v9 | Windows 7 | AES 128-bit | Good |
Internet Explorer v9 | Windows Vista | RC4 128-bit | Terrible |
Internet Explorer v7 & v8 | Windows Vista | AES 128-bit | Good |
Internet Explorer v8 | Windows XP | RC4 128-bit | Terrible |
Internet Explorer v7 | Windows XP | RC4 128-bit | Terrible |
Internet Explorer v6 | Windows XP | RC4 128-bit | Terrible |
Opera v26+ | Mac OSX | AES 256-bit | Good! |
Opera v11.10+ | Windows Vista | AES 256-bit | Good! |
Opera v9.62 | Windows XP & Vista | AES 256-bit | Good! |
So, by default, legacy browsers will take advantage of AES encryption when available. We also found that any program that uses old windows default SSL libraries will use RC4 in Windows XP and 128-bit AES in Windows Vista.
What encryption techniques are supported by modern email programs?
Asking this question about web browsers asks what is supported by the various email programs out there. If you are using a WebMail interface to access your email, the answer depends on your web browser. The latest versions of well-known email programs will use suitable encryption techniques, including AES-256. If you are using outdated/legacy email software, you should immediately update it to the latest version.
What encryption techniques were supported by legacy email programs?
We tested several popular legacy email programs on legacy operating systems to see the best encryption cipher they could use. This was done before AES usage became essentially universal. Here are the results (for posterity):
Email Program | Operating System | Verdict? | Results |
Mozilla Thunderbird v2+ | Windows XP & Vista | Good! | 256-bit AES |
Thunderbird v2+ | Mac OSX v10.4.11 | Good! | 256-bit AES |
Outlook 2010 | Windows 7 | Good! | 256-bit AES |
Outlook 2007 | Windows XP | Terrible | 128-bit RC4 is the best supported |
Outlook 2007 | Windows Vista | Good | 128-bit AES chosen (though 256-bit is there, it is not listed 1st in the program and thus not used) |
Outlook 2003 | Windows XP | Terrible | 128-bit RC4 is the best supported |
Mail.app | Mac OSX v10.10 | Good | 256-bit AES |
Mail.app | Mac OSX v10.5.5 | Good | 128-bit AES chosen (though 256-bit is there, it is not listed 1st in the program and thus not used) |
Mail.app | Mac OSX v10.4.11 | Good | 128-bit AES chosen (though 256-bit is there, it is not listed 1st in the program and thus not used) |
Mail.app | iPhone v2.2 | Good | 128-bit AES chosen (though 256-bit is there, it is not listed 1st in the program and thus not used) |
Eudora v7 | Windows XP | Good | 256-bit AES |
Eudora v8 | Mac OSX v10.4 | Good | 256-bit AES |
Entourage v12 | Mac OSX v10.4 | Terrible | DES |
We see a similar pattern here. In most cases, the cipher used depended on the Operating System and not the program. Some programs roll their own SSL (i.e., Thunderbird/Eudora), and some use the OS built-in libraries. So, from this, we can infer that any newer version of Outlook on Vista or Windows 7+ will go for at least 128-bit AES; most things on Windows XP would use 128-bit RC4, etc.
How to force the use of AES-256 on secure web browsers and email programs
Web browsing clients like Mozilla Firefox or Opera and email clients like Thunderbird use AES-256 by default, as long as the server supports it.
However, it’s also possible to force the use of 256-bit AES encryption. This can be useful if your organization mandates that secure connections use 256-bit AES or if you do not trust that the servers you wish to connect to will have secure ciphers.
You can ensure that AES-256 is always used by following the instructions below. If the server does not support AES-256, the connection will fail.
Mozilla Firefox:
- Type “about:config” in the address bar to open up the detailed list of configuration parameters.
- Scroll down to “tls.version.min”, and ensure that it is set to “1” as an absolute minimum. This will turn off support for SSLv2 and SSLv3.
- Search for “ssl3.”
- Look for the ciphers that do not include “aes_256” in their names. If any of these say “true,” double click on them to change them to “false.” This will make them no longer available for use.
- You will be left with various versions of AES-256 with TLS v1.0+.
- You don’t have to restart Firefox for this to take effect.
Mozilla Thunderbird:
- From Thunderbird’s home screen, click on the three horizontal lines in the top right corner.
- Click Preferences, then Preferences once more in the menu that comes up.
- Click Advanced, then scroll to the bottom right where it says Config Editor. Click on Config Editor.
- Be aware that configuration changes can affect the program’s stability, and only proceed if you know what you are doing. Click I Accept the risk.
- Scroll down to “tls.version.min”, and ensure that it is set to “1” as an absolute minimum. This will turn off support for SSLv2 and SSLv3.
- Search for “ssl3 “
- Look for the ciphers that do not include “aes_256” in their names. If any of these say “true,” double click on them to change them to “false.” This will make them no longer available for use.
- Restart Thunderbird so that any persistent connections are broken and re-opened.
- Make sure that your email accounts are all configured to use SSL or TLS (not “if available,” but “always”).
- If possible, go to your email provider and disallow insecure connections to your account. This will make the connection fail even if the email program is accidentally configured to make a secure connection. (LuxSci allows this to be set on the user-level or enforced by policy account-wide).
Skype:
- It’s off-topic, but Skype uses 256-bit AES encryption, so if you use it for chat or voice calls, your data is also being encrypted in this fashion.
Locking down your website (in Apache)
If you are a website owner and have TLS security on it, you can lock it down so that the only cipher your website supports is 256-bit AES. This takes the choice out of the end user’s hands. They can either use AES-256, or they won’t be able to connect to the website. However, this also means that some users may not be able to access your site unless they change to a more secure browser.
To lock your site down so that it only supports 128-bit and 256-bit AES, add the following to your Apache httpd.conf file:
SSLCipherSuite AES256-SHA:AES128-SHA
This can be added globally, in a virtual host, or even in your .htaccess file. It will ensure that any successful connection to your site will use one of these ciphers. Be sure to add it to the secure settings for your site and not just the insecure site area. More information is available at Apache.
You will generally want only to support TLS v1.2+ and NIST-recommended cipher suites. See: what level of TLS is required for HIPAA.
AES encryption is still reliable
AES encryption is still the preferred standard for TLS. Modern machines don’t noticeably affect performance, providing an adequate security level.
However, it’s important to note that TLS only protects data sent between you and the server. When you send and receive an email, the message data travels in the clear, so TLS does not protect it throughout the entire journey. The Case for Email Security explains this in more detail.
Thankfully, services like LuxSci’s SecureLine provide email encryption, which can safeguard your email the whole way. Contact our team for more information on how to protect your organization’s data.
I’m not sure how up to date this is, but:
I am running apache 2.2 on Vista Home Premium x64 and have set SSLCipherSuite AES256-SHA:RC4-MD5 and when I connect to my website from the same system, the ssl access log shows AES256-SHA, when I connecto from XP Home x32 to the site the log says RC4-MD5. Perhaps this is specific to Vista x64…
My Vista and XP both have the most recent updates
Hello,
There is nothing wrong or out of date here. The thing is that Vista supports AES256 and AES128, but given the choice of the two will pick AES128 for speed over security. XP doesn’t support AES at all by default.
In your web server, you specified only 2 possible ciphers — and the only AES one you allow is AES256. Thus, given the choice between AES256 and RC4, Vista will happily choose AES256. XP will choose RC4 as it does not support AES. This is what you see. However, if you included AES128 in your list of allowed ciphers, then Vista would use that instead of AES256.
I have done the Mozilla AES-256 encryption method (editing the about:config) and now I cannot login Yahoo! Mail, this has never happened before and it had worked fine before I changed my config. I believe that Yahoo! Mail is safe enough to log on, yet I cannot do so.
Here is the message I am receiving:
Secure Connection Failed
An error occurred during a connection to login.yahoo.com.
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
* The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
* Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
Any ideas?
Looks like Yahoo! Mail doesn’t support AES 256 encryption — so by restricting your browser to using it you have loced yourself out of Yahoo! Mail. Your choice is to either give up on the higher strength security so you can use Yahoo! Mail, or move to another email provider (like LuxSci) that does.
According to TechNet IE on Vista/Windows 7 supports AES-256.
http://technet.microsoft.com/en-us/library/cc766285(WS.10).aspx
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
Note that while they support it, they will choose 128-bit over 256 bit when both are available on the server side. So, if you are connecting to a site that is not 256-bit only, these systems will use only 128-bit AES. Microsoft judges that the speed up using 128-bit is more important than the security of using 256-bit.
Although AES won the world-wide competition for a new security standard to replace DES (and 3DES), it is not the only good encryption standard.
Two other competitors receive uniformly good marks: Blowfish (128) and TwoFish (its successor).