Caddy: Deletion of 3DES from the supported ciphers
Should 3DES be deleted from the supported ciphers list because of SWEET32? It’s already not in the default ciphers list and starting with OpenSSL 1.1 it will not get compiled by default, so I guess we don’t need it either.
[1] https://sweet32.info/
[2] https://www.openssl.org/blog/blog/2016/08/24/sweet32/
mkoppmann
All 2 comments
At CloudFlare we still see a non-zero ‰ of connections that need it. Not making an argument for default inclusion, but it's the best way to get XP+IE clients to connect, so it should be possible to turn it on IMHO.
With #1070, once it's at the end of the ciphers list it will be only used if strictly necessary.
Sweet32 is anyway borderline practical. I might make a Go crypto/tls patch to make the connection fail after 64GB to address it.
FiloSottile
on 26 Aug 2016
Implementing a data limit sounds like a good compromise. 32–40GB are needed to get the first collision with ~50% probability. 64GB sounds like a reasonable value to make the connection fail because as you said, Sweet32 is still pretty impractical as the attacker would need to be in a position where he can observe 100% of the traffic.
mkoppmann
on 26 Aug 2016
Related issues
whs
·
3Comments
SteffenDE
·
3Comments
wayneashleyberry
·
3Comments
crvv
·
3Comments
muhammadmuzzammil1998
·
3Comments
Most helpful comment
At CloudFlare we still see a non-zero ‰ of connections that need it. Not making an argument for default inclusion, but it's the best way to get XP+IE clients to connect, so it should be possible to turn it on IMHO.
With #1070, once it's at the end of the ciphers list it will be only used if strictly necessary.
Sweet32 is anyway borderline practical. I might make a Go crypto/tls patch to make the connection fail after 64GB to address it.