Closed pburkholder closed 9 months ago
How to get CloudFront logs is now documented in our internal-docs repo at docs/runbooks/AWS/aws-cloudfront-logs.md
The results for a site with 2M entries over two days, with a broad range of browsers is:
cat E(redacted)2* | grep -v '^#' | awk '{print $21, $22}' | sort | uniq -c
14217 - -
91905 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
465 TLSv1.2 ECDHE-RSA-AES128-SHA256
1898244 TLSv1.3 TLS_AES_128_GCM_SHA256
The distro is using the TLSv1.2_2018
policy from the set of CloudFront policies
For a government & finance related site we host, the results are for 5M entries on 2024-01-05:
cat E* | grep -v '^#' | awk '{print $21, $22}' | sort | uniq -c
294883 - -
6 TLSv1.2 AES128-GCM-SHA256
530910 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
10612 TLSv1.2 ECDHE-RSA-AES128-SHA256
17 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
4674815 TLSv1.3 TLS_AES_128_GCM_SHA256
204 TLSv1.3 TLS_AES_256_GCM_SHA384
This should be sufficient data for us to migrate to a more restrictive ciphersuite.
There were 6 uses of the deprecated AES128-GCM-SHA256 ciphersuite. They were from
a) a wireless provider in India, user-agent Mozilla/5.0%20(Windows%20NT%206.3;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/70.0.3538.77%20Safari/537.36
(note Chrome 70 is from October 2018)
b) a ZScaler client, user-agent Mozilla/5.0%20(Windows%20NT%206.1;%20WOW64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/44.0.2403.130%20Safari/537.3
(note Chrome 44 is from July 2015).
I've added a sheets to our ALB Ciphers workbook with these results.
At this point I recommend tls13-1-2-2021-06
, which would not block the 0.2% of site B's users that are still using CBC ciphers.
Update - the notes on how to recover logs from Cloudfront are in a closed, unmerged PR: https://github.com/cloud-gov/internal-docs/pull/174
In order to chose a ciphersuite that balances the needs of the public vs current cryptographic standards, we should assess traffic to selected sites and analyse them.
Security considerations
Safe for assessing and publishing. We already discuss our ciphersuite select on the cloud.gov site at https://cloud.gov/docs/compliance/domain-standards/#ssltls-implementation
Implementation sketch