Today, researchers announced the Sweet32 Birthday attack, which affects the triple-DES cipher. Although the OpenSSL team rated the triple-DES vulnerability as low, they stated “triple-DES should now be considered as ‘bad’ as RC4.” DigiCert security experts as well as other security pros recommend disabling any triple-DES cipher on your servers.
The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.
About the Attack
The triple-DES cipher is supported by a vast majority of HTTPS servers and all major web browsers—around 600 of the most-visited websites. Fortunately, most browsers opt to use AES rather than triple-DES when making an HTTPS connection.
How to Mitigate the Sweet32 Birthday Attack
To mitigate, follow one of these steps:
- Disable any triple-DES cipher on servers that still support it
- Upgrade old servers that do not support stronger ciphers than DES or RC4