IE8 showing 256 cipher under Help/About, but showing 128 cipher on tests?

A question that I could not seem to find a direct answer to:

I have IE8 32 and IE8 64 running on WIN7 64 with Norton Internet Security 2010. Both show a cipher strength of 256 under Help/About. When I run a cipher test on a site like Fortify.net it shows both as running a 128 cipher, not 256. I have tried different adjustments to TLS and SSL settings as well as Security Level and I tried using Compatibility Mode with the same result.

PC is running fine and don't have any issues with accessing networks or Banking sites but I find this scenario very peculiar and frankly annoying. Is there's something I should adjust settings wise? Does IE8 revert to 128 under certain circumstances? Why is IE8 not using a 256 cipher when it says it is 256?

I found an interesting post on another website by a Mr. Chris R. Chapman. The author explains what I had guessed about this situation.

Today, a friend remarked to me that according to an SSL framecheck site he uses (Fortify SSL Check) his 64–bit Win7 + IE8 configuration was registering as 128 bit AES by default, and not – as he anticipated – 256 bit AES (as FireFox does, for example).
This is true and by design: The IE team made a conscious decision to trade off cipher strength for speed, since 128 bits is sufficient for securing most channels reliably and not impact speed on HTML-heavy sites. However, what if you do want 256–bit AES cipher strength as the default for securing IE’s channel? Fear not – here’s the resolution I was able to surface:

1. Launch “Edit Group Policy” from the Start menu.
2. Navigate to Computer Configuration—>Administrative Templates—>SSL Configuration Settings via the treeview control.
3. Note that in the right pane, the entry is not enabled – double-click the entry to bring up the edit dialog and select the “Enable” radio button.
4. In the text box under Options on the left side, paste-in the comma-delimited list from the following file: File Attachment: ie8_ciphersuites_group_policy.txt (1 KB)
5. Click OK and close off the policy editor dialog.
6. Reboot.
7. Navigate to the Fortify site and verify that AES 256 is your default cipher strength.

The “magic” that makes this happen is in the list of ciphers which are parsed sequentially – I simply changed the order of the first four entries from:

TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA

to:

TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

Enjoy responsibly.


So IE8 does indeed default to a 128 cipher the vast majority of the time regardless of the 256 cipher listing in HELP/ABOUT, unlike other browsers such as Firefox. Curious as to people's thoughts on this?