Why is Android / IE using 3DES when AES is available?

Solution 1:

Typically each client has their own preference in which ciphers they support.

To stick with your example: Android 5.0.0 supports a reasonable number but has some odd preferences, with some objectively weaker ciphers preferred over some stronger ones.

According to the SSL Labs scan (the "Cipher Suites (sorted by strength; the server has no preference)" section) your server will only support a limited number of ciphers and does not display a preference, leaving the cipher negotiation primarily to the client, which results in TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

Solution 2:

This behavior is determined by the cipher list passed from the client to the server, where the client tells the server what ciphers it supports, and which priority each of those ciphers has. Android, in particular, has made some insecure choices about the preference order of its cipher suites, preferring very insecure ciphers over secure ones that it supports, without giving any explanation as to why.

My suspicion is that it's a design choice. By choosing a less computationally intensive cipher, you use less power and therefore get more battery life, which is something consumers notice and care about in a smartphone, and in contrast, when it comes to security, as long as the end user sees that lock icon, "it's secure," and that's all they care about (if they even care that much).

So, they're using 3DES because they have a higher preference for that weaker cipher, and you allow it to be used. The only way to stop it from being picked by a client with dubious preferences is to remove it.

Solution 3:

To fix the issue already explained by @HBrujin and @HopelessN00b, you can set a preferred list cipher for the webserver, who can also have preferences, not only the client. I recommend to use the settings elaborated by the Bettercrypto.org project Applied Crypto Hardening.

E.g. for Apache, you can use

SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'

in your settings for SSL/TLS. To support 3DES, remove 3DES from the string, but only if it is really necessary and you need to support software from the last century. This cipherstring can be used in business environments with old software (which is not recommended either, but business, you know...).