Open SSL 08-24-2016

Sweet32 Birthday Attack: What You Need to Know

Jason Sabin

Today, researchers announced the, which affectsthe triple-DES cipher. Although the the triple-DES vulnerability as low, they stated “triple-DES should now be considered .” security experts as well as other security pros recommend disabling any triple-DES cipher on your servers.

The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.

About the Attack

The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run JavaScript in a browser and sendlarge amounts of traffic during the same TLS connection, creating a collision. With this collision, the attacker is able to retrieve information from a session cookie.

The triple-DES cipher is supported by a vast majority of HTTPS servers and all major web browsers—around 600 of the . Fortunately,most browsers opt to use AES rather than triple-DES when making an HTTPS connection.

How to Mitigate the Sweet32 Birthday Attack

To mitigate, follow one of these steps:

  • Disable any triple-DES cipher on servers that still support it
  • Upgrade old servers that do not support stronger ciphers than DES or RC4

OpenSSL Fix

Because OpenSSL rated the Sweet32 Birthday attack as "Low Severity," they put the fix into their repository. For more information, see the or the .

UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-11-2024

FIPS 140-3 certification unlocked for TrustCore SDK

10-31-2024

Announcing the GA release of Device Trust Manager