Today, researchers announced the, which affectsthe triple-DES cipher. Although the the triple-DES vulnerability as low, they stated “triple-DES should now be considered .” security experts as well as other security pros recommend disabling any triple-DES cipher on your servers.
The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.
The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run JavaScript in a browser and sendlarge amounts of traffic during the same TLS connection, creating a collision. With this collision, the attacker is able to retrieve information from a session cookie.
The triple-DES cipher is supported by a vast majority of HTTPS servers and all major web browsers—around 600 of the . Fortunately,most browsers opt to use AES rather than triple-DES when making an HTTPS connection.
To mitigate, follow one of these steps:
Because OpenSSL rated the Sweet32 Birthday attack as "Low Severity," they put the fix into their repository. For more information, see the or the .