After careful analysis, the Alert Logic research team decided that Apache HTTPD, Oracle HTTP Server, and Nginx are not, by default, vulnerable to the SWEET32 attack.
An important requirement for the attack to be successful is to send many requests in the same TLS connection. Under a customized configuration of servers, a server could eventually - after three or four days - become vulnerable if Triple Data Encryption Algorithm (3DES) is enabled. Because this server configuration is non-default, reporting SWEET32 as a vulnerability on Apache servers could result in false positives for most customers.
While 3DES is vulnerable to SWEET32 in some configurations, it is also generally considered a weak cipher. Alert Logic recommends that users of 3DES disable all 64-bit block weak ciphers and upgrade to a strong cipher like Advanced Encryption Standard (AES-256); this will resolve potential SWEET32 vulnerabilities in uncommon Apache configurations.
Comments
0 comments
Please sign in to leave a comment.