Sweet32: Birthday attack on 64-bit block cipher - Withdrawal of 3DES cipher support for all Zoho services - 31/01/2017

Sweet32: Birthday attack on 64-bit block cipher - Withdrawal of 3DES cipher support for all Zoho services - 31/01/2017

Zoho always tries to provide utmost security and privacy to our users and here is one such instance. This is about removing weak and insecure ways to access our platform and strengthening it based on industry standard recommendations from time to time.


3DES,  a 64-bit block cipher,  is one of the algorithms used for encryption. These block ciphers, with short block size, are vulnerable to a type of  cryptographic attack, known as the Birthday Attack. Due to this vulnerability, all Zoho services will stop extending support to 3DES from January 31, 2017.


After Zoho disables 3DES cipher, any communication with a Zoho service will need to use AES (128/256) cipher for encryption. All modern browsers/clients and operating systems support robust algorithms like AES. In order to avoid issues connecting with Zoho services, we advice our users to stay up-to-date and update to such latest systems.


1) Internet Browsers:

We monitored our traffic and observed that around 98% of users connecting via 3DES are using IE on Windows XP or Windows 2003 server. These legacy systems do not support AES based ciphers by default. As these systems are no longer supported by its vendor, we  recommend our customers to upgrade their OS or at least use latest   browsers like Firefox/Chrome.

 

2) API Integrations:
If your APIs use 3DES cipher to access Zoho's Applications, please update your API to connect via AES(126,256). Refer the following to set the cipher suite for the language you are using:

 

Java     - Set the cipher suite in javax.net.ssl.SSLSocket.

Ruby    - Set the preferred cipher suite in OpenSSL::SSL::SSLContext

PHP     -  Set CURLOPT_SSL_CIPHER_LIST to a list cipher suites that uses AES for encryption to your Curl options.

Python - Set the cipher suite in SSLContext.set_ciphers.

c#        - Use CipherAlgorithmType AES.

 

You can also refer SSLLabs to check whether you will be affected by this measure. Do get in touch  with the respective Zoho product team in c ase you have any queries.

Take  these measures right away so that you are not affected by this attack.  To know more about the sweet32 vulnerability, refer : https://sweet32.info/

      • Sticky Posts

      • Zoho MVP Batch of 2023

        Image: Zoho MVP Batch of 2023 Presenting the Zoho MVPs for 2023: Michael Trow Damien Cregan Kevin Flynn Donald Love Gordon Mankelow Abhishek Sharma Nik Khairul Bryan Pape Hugh Marshall Bhoomi Joshi Mikhail Koval Ken Florian Sven Rösser Our MVPs are passionate
      • Thanksgiving 2022 - Celebrating Zoho Community SuperBuds

        One of the things we love most about our Zoho User Community is how readily our users help each other out, and share their Zoho and business knowledge. Be it the community forums, the virtual and in-person meetups, or Zoholics, it's been heart-warming
      • Zoho MVP Batch of 2022

        Image: Zoho MVP Batch of 2022 Zoho MVPs are passionate customers and partners who go out of their way in helping the community members. With their significant contributions in the community forums, they help cut short the learning curve of the members,
      • ZOHO-20 to fight COVID-19

        While the world economy is taking a hit, we, at Zoho, are doing our bit to help small businesses come out of this crisis. Here are all the programs and packages offered by Zoho to fight Covid-19. 1. ESAP: The Small Business Emergency Subscription Assistance Program (ESAP) gives our severely impacted small business customers access to Zoho software they currently use, free for three months. All Zoho customers with 25 employees or fewer who have been severely impacted by the coronavirus-related downturn
      • ​Issues with Forum posts approval in Zoho Community

        Hi All, Issue: Some of you have reported that the posts/comments made today are going for moderation. The issue started few hours ago, and the behaviour was reported in CRM and Creator Forums by a few customers/partners. We were able to see the same problem in a few other product forums too. How it impacts you: Don't worry if you find that your posts and comments are stuck in moderation. Your posts/comments are safe. Please don't duplicate them. We're keeping a tab on the development and approving