Today, researchers announced the Sweet32 Birthday attack, which affects the triple-DES cipher. Although the OpenSSL team rated the triple-DES vulnerability as low, they stated “triple-DES should now be considered as ‘bad’ as RC4.” DigiCert security experts as well as other security pros recommend disabling any triple-DES cipher on your servers.
The Sweet32 Birthday attack does not affect SSL Certificates; certificates do not need to be renewed, reissued, or reinstalled.
The DES ciphers (and triple-DES) only have a 64-bit block size. This enables an attacker to run JavaScript in a browser and send large amounts of traffic during the same TLS connection, creating a collision. With this collision, the attacker is able to retrieve information from a session cookie.
The triple-DES cipher is supported by a vast majority of HTTPS servers and all major web browsers—around 600 of the most-visited websites. Fortunately, most browsers opt to use AES rather than triple-DES when making an HTTPS connection.
To mitigate, follow one of these steps:
Because OpenSSL rated the Sweet32 Birthday attack as "Low Severity," they put the fix into their repository. For more information, see the Sweet32 Issue, CVE-2016-2183 blog or the Sweet32 website.