I found an interesting post on another website by a Mr. Chris R. Chapman. The author explains what I had guessed about this situation.
Today, a friend remarked to me that according to an SSL framecheck site he uses (Fortify SSL Check) his 64–bit Win7 + IE8 configuration was registering as 128 bit AES by default, and not – as he anticipated – 256 bit AES (as FireFox does, for example).
This is true and by design: The IE team made a conscious decision to trade off cipher strength for speed, since 128 bits is sufficient for securing most channels reliably and not impact speed on HTML-heavy sites. However, what if you do want 256–bit AES cipher strength as the default for securing IE’s channel? Fear not – here’s the resolution I was able to surface:
The “magic” that makes this happen is in the list of ciphers which are parsed sequentially – I simply changed the order of the first four entries from:
- Launch “Edit Group Policy” from the Start menu.
- Navigate to Computer Configuration—>Administrative Templates—>SSL Configuration Settings via the treeview control.
- Note that in the right pane, the entry is not enabled – double-click the entry to bring up the edit dialog and select the “Enable” radio button.
- In the text box under Options on the left side, paste-in the comma-delimited list from the following file: File Attachment: ie8_ciphersuites_group_policy.txt (1 KB)
- Click OK and close off the policy editor dialog.
- Navigate to the Fortify site and verify that AES 256 is your default cipher strength.
So IE8 does indeed default to a 128 cipher the vast majority of the time regardless of the 256 cipher listing in HELP/ABOUT, unlike other browsers such as Firefox. Curious as to people's thoughts on this?