List of SSL Cipher Support by Browser

Not really sure if this is the appropriate SE to post this to, but here it is: Is there some online reference for what SSL ciphers are supported by the various browsers? Basically, I'm interested in hardening systems by ensuring lower key lengths and old as dirt algorithms (DES and 3DES) aren't used for communication with the client.

The way to do this (at least with Apache mod_ssl) seems to be to control the supported ciphers the server gives during the handshake.

I want to be able to answer questions like "If I force AES256, which browsers will break?"

For some sites this is desirable as it gives us some guarantees as to the confidentiality of the conversation. If their browser only supports what is considered an insecure connection, we want the session to break so they're forced to use a more modern/robust client.


Solution 1:

Is this the right way to solve the problem?

All SSL/TLS server should (must?) provide a mechanism for specifying a ciphersuite preference and available ciphers: if you don't want to use insecure algorithms then don't configure them. Do give a higher priority to more stronger ciphers (if security is your priority).

Obviously we can't tell you what set of ciphers meet your security requirements. However maintaining a list of the ciphers supported in your clients browsers is a big task. And it's one which large companies like Google, Paypal, eBay and others actively undertake - why not just test what they are currently offering?

(do bear in mind that some sites will use HTTPS purely as a springboard to negotiating SPDY).