The security and speed of the SSL/TLS protocol largely depends on the chosen cipher suite. A cipher suite is a set of cryptographic algorithms used for key exchange, authentication, encryption and message integrity verification. An incorrectly chosen cipher suite can put the site at risk or significantly slow it down. In this article we examine in detail modern cipher suites, their advantages and the future of cryptography.
Cipher suite composition
Each cipher suite consists of four parts. The first is the key exchange algorithm (ECDHE, RSA), the second is the authentication algorithm (RSA, ECDSA, EdDSA), the third is the encryption algorithm (AES-GCM, ChaCha20-Poly1305), the fourth is the hashing function (SHA-256, SHA-384). For example, the meaning of TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: key exchange via ECDHE, authentication via RSA, encryption via AES-256-GCM and hashing via SHA-384.
AES vs ChaCha20
AES-GCM and ChaCha20-Poly1305 are the two main modern encryption algorithms. AES is very widespread and many processors have hardware acceleration (AES-NI instructions). This makes it very fast on desktop and server platforms. ChaCha20, on devices without hardware accelerators (many mobile and old phones), is 3-4 times faster than AES. Therefore modern servers should support both and choose depending on the device.
Disabling old cipher suites
RC4, 3DES, DES, MD5, SHA-1, RSA key exchange and other old algorithms must be completely disabled. This not only benefits security but is also mandatory for compliance with PCI DSS, HIPAA and other regulatory standards. To get an A+ rating in the SSL Labs test, TLS 1.0 and 1.1 must also be disabled — leave only TLS 1.2 and 1.3.
Future of Post-quantum cryptography
With the development of quantum computers, current RSA and ECDHE algorithms may be broken in the future. NIST in 2024-2025 adopted Post-Quantum Cryptography (PQC) standards: Kyber (for key exchange), Dilithium and Falcon (for digital signature). Cloudflare and Google have already enabled Kyber + X25519 hybrid (X25519MLKEM768). A full transition of all browsers and servers to PQC is planned from 2035.
Sayt.uz practice
100% of Sayt.uz clients run with Mozilla "Intermediate" or "Modern" configuration. In our SSL Labs test 94% of clients receive an A+ rating, 6% — A. Cipher suite audit service costs 75,000 UZS one-time, monthly monitoring 30,000 UZS. We started testing Post-quantum cryptography in 2034 and from 2036 will offer it to all clients. Early transition to PQC will be a step ahead of local competitors in the future.