"此服务器易受 SWEET32 攻击。确保在服务器上禁用弱密码(DES 和 3DES)并使用 AES。"
Sweet32 Birthday 攻击,攻击的是 3DES 密码。尽管 OpenSSL 团队评定 3DES 漏洞的等级为低,但他们指出“目前应将 3DES 视为“恶劣性”与 RC4 相当。”DigiCert 安全专家以及其他安全专业人士建议在服务器上禁用任何 3DES 密码。
DES 密码(和 3DES)的块大小仅为 64 位。这使得攻击者可以在浏览器中运行 JavaScript 并在相同 TLS 连接期间发送大量通信流量,从而造成碰撞。通过碰撞,攻击者可以从会话 Cookie 中获取信息。
绝大多数 HTTPS 服务器以及所有主要 Web 浏览器均支持 3DES 密码,大约有 600 个访问次数最高的网站。值得庆幸的是,大部分浏览器选择使用 AES,而不是 3DES 进行 HTTPS 连接。
使用以下其中一个解决方案:
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.