Website using TLS 1.0, and 128bit by default?

Website using TLS 1.0, and 128bit by default?

in Forum and Website Bugs

Posted by: AnonEMouse.7932

AnonEMouse.7932

I was checking the security of my browser recently, and removed a couple of unsafe SSL/TLS ciphers (like RC4) from the list of allowed ciphers.

When I then went to the main GW2 page today, instead of the normal website I would expect, I almost got a 1990’s text only version with a video embed. Which got me a little confused. So I loaded the page in another browser and it displayed fine.

So I reselected some ciphers and lo the site was back to it’s normal glory.

A little further digging, and it seems that GW2.com (and cloudfront.net), both use the outdated (and apparently horribly broken) TLS 1.0.

Now it is true that it also supports TLS 1.2, but the default is 1.0, using 128 bit encryption, even when the browser can support TLS 1.2 with 256 bit encryption.

Shouldn’t it be the other way around, in that the default should be TLS 1.2 using 256 bit encryption if the browser supports it, and only falling back to 128 bit if 256 bit is unsupported?