New submission from Christian Heimes: Another attack with a catchy name and logo. This time 3DES is showing its age. 3DES should be removed from the list of server ciphers in ssl._RESTRICTED_SERVER_CIPHERS. For client ciphers we can leave it in for now. An attack requires dynamic code execution of code from a malicious 3rd party and several hundred GB of traffic. It's relevant for browsers with JS but not for majority of Python applications. OpenSSL 1.1.0 will remove 3DES support by default anyway.
https://www.openssl.org/blog/blog/2016/08/24/sweet32/ https://sweet32.info/ > As seen previously, the full attack should require 236.6 blocks (785 GB) to > recover a two-block cookie, which should take 38 hours in our setting. > Experimentally, we have recovered a two-block cookie from an HTTPS trace of > only 610 GB, captured in 30.5 hours. ---------- components: Library (Lib) messages: 273559 nosy: alex, christian.heimes, dstufft, giampaolo.rodola, janssen priority: critical severity: normal status: open title: Remove 3DES from cipher list (sweet32 CVE-2016-2183) type: security versions: Python 2.7, Python 3.3, Python 3.4, Python 3.5, Python 3.6 _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue27850> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
