Zoho always tries to provide utmost security and privacy to our users and here is one such instance. This is about removing weak and insecure ways to access our platform and strengthening it based on industry standard recommendations from time to time.
3DES, a 64-bit block cipher, is one of the algorithms used for encryption. These block ciphers, with short block size, are vulnerable to a type of cryptographic attack, known as the Birthday Attack. Due to this vulnerability, all Zoho services will stop extending support to 3DES from January 31, 2017.
After Zoho disables 3DES cipher, any communication with a Zoho service will need to use AES (128/256) cipher for encryption. All modern browsers/clients and operating systems support robust algorithms like AES. In order to avoid issues connecting with Zoho services, we advice our users to stay up-to-date and update to such latest systems.
1) Internet Browsers:
We monitored our traffic and observed that around 98% of users connecting via 3DES are using IE on Windows XP or Windows 2003 server. These legacy systems do not support AES based ciphers by default. As these systems are no longer supported by its vendor, we recommend our customers to upgrade their OS or at least use latest browsers like Firefox/Chrome.
2) API Integrations:
If your APIs use 3DES cipher to access Zoho's Applications, please update your API to connect via AES(126,256). Refer the following to set the cipher suite for the language you are using:
Java - Set the cipher suite in javax.net.ssl.SSLSocket.
Ruby - Set the preferred cipher suite in OpenSSL::SSL::SSLContext
PHP - Set CURLOPT_SSL_CIPHER_LIST to a list cipher suites that uses AES for encryption to your Curl options.
Python - Set the cipher suite in SSLContext.set_ciphers.
c# - Use CipherAlgorithmType AES.
You can also refer SSLLabs to check whether you will be affected by this measure. Do get in touch with the respective Zoho product team in c ase you have any queries.