Small change to SSL ciphers

We’ve made a small technical change to the way our servers handle SSL connections. The change shouldn’t affect anyone, but we’re describing it here just for the record. If you have an SSL site with us and see any unexpected behavior, don’t hesitate to let us know.

The technical description of the change is that unless you’ve disabled both TLS 1.0 and SSLv3, our servers now prefer the “TLS_RSA_WITH_AES_128_CBC_SHA” cipher suites over DHE cipher suites like “TLS_DHE_RSA_WITH_AES_256_GCM_SHA384”. (We told you it was technical!)

This ensures compatibility with old versions of Java clients, which have a bug that prevents them working with 2048-bit DHE primes. Those primes are used in an Apache web server update to minimize the impact of Logjam and similar attacks, so without this change, Java 6 clients (and older Java 7 and Java 8 versions) would fail to connect.

The drawback of this change is that it removes forward secrecy support with some very old browsers, like Internet Explorer on Windows XP. However, the extra compatibility is a reasonable trade-off for that since those are little used, and this is the same trade-off made by (for example) google.com. Forward secrecy still works with all modern browsers, because our servers prefer ECDHE ciphers to all others.