SWEET32 : triple-DES should now be considered as “bad” as RC4.

[tdelmas]

https://www.openssl.org/blog/blog/2016/08/24/sweet32/

I think 3DES should be flagged INSECURE, as RC4 are.

[RobTho]

the final nail to IE@XP's coffin
https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8&platform=XP&key=101

The situation with 3DES is a bit different though, as it requires a substantial amount of data encrypted with the same key - so it can be effectively mitigated by disabling Keep-Alive, or setting the maximum number of requests to something conservative (Apache and Nginx default to 100). So it can be used safely, assuming other changes are made to limit the amount of traffic that is encrypted with the same kay.

[RobTho]

yeah currently, till the attack is improved...

@RobTho There's a limit to how much the attack can be improved though, as it relies on collisions - if you disable Keep-Alive in HTTP/1.1, you eliminate the attack model. If your TLS stack can limit the number of blocks using the same key, eliminated (I believe CloudFlare is going this route).

I'd love to see 3DES die, but it's not as clear when it's dangerous as it is with RC4.

[RobTho]

Hi,
i know the limit. But this does not mean that someone found an easier / faster way to break 3DES, soon.
RC4 break was also improved later on afaik.

[andersk]

Every cipher is potentially subject to the discovery of easier and faster attacks. When evaluating which attacks are likely to be improved, it’s important to take into account the nature of the attacks. The RC4 attacks exploit subtle statistical patterns in the cipher output, and could be improved by finding stronger patterns. The SWEET32 attacks do not break the internals of the block cipher at all. They are a generic observation about the number of blocks that can be safely encoded with the same key using any 64-bit block cipher in CBC mode—whether it’s triple-DES, Blowfish, or even an ideal random permutation oracle—before there is a significant risk of collisions. We know everything there is to know about this risk; it is not mathematically possible for a new attack to increase the generic probability of collisions for a given number of blocks. So to find a better attack on triple-DES, one would have to discover some weakness in the block cipher itself. Again, that could happen, but it would be an entirely new attack path, and we have no evidence that it’s particularly likely. DES seems to have stood the test of time remarkably well.

[vaitguy]

Is there a way to mitigate this using IISCrypto?

[bhushan5640]

SWEET32 detection is now available via "Future grade" feature.
https://blog.qualys.com/ssllabs/2017/01/18/ssl-labs-grading-changes-january-2017

[darkhacknet]

so how can I exploit this vulnerability ? please help bros, i cant find really good info .. =/