TLS/SSL Sweet32 attack
Description
The Sweet32 attack exploits a cryptographic weakness in legacy 64-bit block ciphers (such as 3DES and Blowfish) used in TLS/SSL connections. When large amounts of data are transmitted over a single connection using these ciphers, attackers can exploit birthday attack principles to recover plaintext data, including session cookies and authentication tokens. This vulnerability affects servers that still support these obsolete cipher suites.
Remediation
Disable support for all 64-bit block ciphers on your TLS/SSL servers. Specifically, remove cipher suites using 3DES (DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA) and Blowfish from your server configuration.
For Apache, edit your SSL configuration to exclude weak ciphers:
SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128 SSLHonorCipherOrder onFor Nginx, update the ssl_ciphers directive:
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!3DES'; ssl_prefer_server_ciphers on;After making changes, restart your web server and verify the configuration using SSL testing tools such as SSL Labs' SSL Server Test to ensure 64-bit block ciphers are no longer offered.