SSL proxy should only offer ciphers to website supported by client app
The Bitdefender SSL intercept/scan proxy should only offer ciphers to the remote website server that the client app offers to the proxy. So if I have configured my web browser app to not support any DES/3DES ciphers, then the Bitdefender proxy should in turn not be offering any DES/3DES ciphers to the website.
Currently the Bitdefender proxy offers the same long list of ciphers to each website regardless of how the client app is configured. Some of these ciphers are weak because they use DES/3DES. I have configured my web browser to not use DES/3DES ciphers, but with Bitdefender installed I cannot ensure the PC/server connection does not use DES/3DES.
Comments
-
You can test using Firefox with SSleuth add-on, disable DES/3DES ciphers using SSleuth, and then view results using this web site with Bitdefender SSL scanning enabled and disabled: https://www.ssllabs.com/ssltest/viewMyClient.html
With Bitdefender SSL scanning enabled and Firefox DES/3DES ciphers disabled, the Bitdefender proxy still offers up these weak ciphers:
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x13)
TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA (0x10)
TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA (0xd)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
0