The “Sweet32 Birthday Attack” does not affect SSL Certificates, but system administrators should disable any Triple-DES cipher.
Today, researchers announced the Sweet32 Birthday attack, which affects the triple-DES cipher. Although the OpenSSL team rated the triple-DES vulnerability as low, they stated “triple-DES should now be considered as ‘bad’ as RC4.” DigiCert security experts as well as other security pros recommend disabling any triple-DES cipher on your servers.
The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.
About the Attack
The triple-DES cipher is supported by a vast majority of HTTPS servers and all major web browsers—around 600 of the most-visited websites. Fortunately, most browsers opt to use AES rather than triple-DES when making an HTTPS connection.
How to Mitigate the Sweet32 Birthday Attack
To mitigate, follow one of these steps:
- Disable any triple-DES cipher on servers that still support it
- Upgrade old servers that do not support stronger ciphers than DES or RC4
Because OpenSSL rated the Sweet32 Birthday attack as “Low Severity,” they put the fix into their repository. For more information, see the Sweet32 Issue, CVE-2016-2183 blog or the Sweet32 website.