Disable weak cipher for Google Cloud App engine custom domain website

[Nikolaus Banjo]

I have set up a custom domain website using a PHP Google Cloud App engine. After some third party security testing i've been advised to disable the use of cipher suite DES-CBC3-SHA (TLS_RSA_WITH_3DES_EDE_CBC_SHA). 

I'm trying to find out if its possible to disable this for a Google PHP App engine? Most of what I can find online either doesn't answer this particular question or is somewhat out of date.

I found this post useful, https://stackoverflow.com/questions/42681247/can-google-app-engine-java-support-tls1-0 . This suggests it's not possible, however it doesn't actually answer the question, it just concludes that if its good enough for google it should be fine.

[Fady (Google Cloud Platform)]

Hello Nikolaus,

For the time being , you do not have the option to disable 3DES yourself. However, I created a private issue tracker (sent privately) to investigate the possibility if the backline team can disable it for your custom domain.

Meanwhile, if your goal is to create a Payment Card Industry Data Security Standard (PCI DSS) compliant environment,  you may check this document for best practices.

[Nikolaus Banjo]

Thank you, i look forward to hearing back from them.

[Attila-Mihaly Balazs]

In addition to what was said: there is always a tradeoff between usability and security and I trust that the Google engineers did a very throughout evaluation of the different options - which they possibly could share with you so that you can push back on the auditors.

Attila

[Samuel Melrose]

Hello Fady,

Is the official stance of Google that App Engine can't be PCI-DSS compliant, only GCE?

When we discussed with account management, they said it was compliant as long as we put a WAF in-front, like Cloudflare.

[Attila-Mihaly Balazs]

AFAIK cloudflare has that same cipher (as a very last resort - just like Google - so realistically 99.999% of the clients won't use it): https://github.com/cloudflare/sslconfig/blob/master/conf

So, yeah, "auditors".

[Samuel Melrose]

Thankfully, if using Cloudflare Enterprise, you can enable TLSv1.2+ only and they move you to a different set of IP ranges to support this.

I'm curious why Google are suggesting that App Engine shouldn't be PCI-DSS compliance, since their site states it is, as well as being sold that way by their account managers:

https://cloud.google.com/security/compliance/pci-dss/

Are they going to remove that come June 30th when TLSv1.2+ becomes a requirement, or they won't stop supporting the old ciphers on App Engine at the GFE?

[Nikolaus Banjo]

Attila-Mihaly Balazs  also touched on this. 

But if it is the case that it is not possible to disable this for our custom domain could the Google engineers looking into this please provide the reasoning for this cipher still being used?

I need something to feedback to the third party security testers so that they will eventually give us their stamp of approval. It would help others if this was posted here, but i would also probably need this sent to my email address so that i can forward it on to the testers as some kind of proof they can document.

Just something reasonable explaining or defending the decision. Explaining how they consider it to be secure. How this will only apply to old clients, as my understanding is that modern browsers cannot be downgraded to support older protocols. That these setting are used across other Google services and that Google will automatically handle depreciating these settings once they consider them to no longer be secure. Also anything else they think would be relevant to add to the explanation, thanks.

[Rajesh Kumar]

Nice 

[Jesse Scherer (Google Cloud Support)]

One aside: I'm curious where Google suggests that App Engine should not be PCI-DSS compliant; this seems like a documentation issue that we should fix.

[Fady (Google Cloud Platform)]

As to update this community thread, working with Nikolaus, and the Engineering team we were able to disable the cipher (3DES) for his custom domain.

[Samuel Melrose]

Thanks guys from Google Cloud Support.

I have to ask though - we have 15+ custom domains across multiple different apps, all of which have to be PCI-DSS compliant.

Are you saying the platform won't be compliant by default? (by having the weak cipher enabled and suggesting it has to be disabled manually per domain, plus by the end of June, TLSv1.2+ only will be a requirement).

We chose App Engine for the out of the box PCI-DSS compliance, but this thread seems to be suggesting otherwise.. ??

We do have Gold support so I will open this privately closer to the deadline, but for the benefit of others who may have the same issue, it would be great if we could get an answer here.

[Jesse Scherer (Google Cloud Support)]

Samuel,

You're completely correct that the requirements change in June, but for now the PCI Security Standards Council seems to consider 3DES to be "strong security." Given that June is only a few months away, security consultants are understandably interested in knowing more about the transition plan. Thus this thread.

First, for future readers: "[t]he PCI Attestation of Compliance for Google Cloud Platform is shared with customers under NDA." If you need more details, reach out to the sales team to get the relevant documentation. You don't need a support contract for this.

Now to your question, I don't know (and given the NDA requirement probably couldn't share) what specific changes will be made ahead of the new requirements. If having those specifics is important, please reach out to the sales folks. If getting ahead of the requirements is important, then go ahead and file a ticket with technical support now.

Regards,

Jesse

[Michael]

Hi Fady,

We have a similar security requirement for our Java Google App Engine Standard site. Is it possible to disable that cipher for our custom domain?