September 23, 2016

Security Update: Protecting our network against SWEET32 vulnerabilities (CVE-2016-2183)

On August 24, 2016, security experts disclosed a vulnerability (CVE-2016-2183) in the 3DES block cipher, which is commonly used in SSL/TLS communication over the internet. This vulnerability, named SWEET32, exploits a limitation in 3DES that allows remote attackers to obtain partial or full cleartext by monitoring an encrypted HTTPS session for a sufficiently long period of time. With enough encrypted data, the attacker will eventually find a “collision” between two encrypted blocks of text, which will then allow them to recover the plaintext of those blocks.
Within 30 days, our team will be removing 3DES from our CDN’s default cipher suite. We will continue to support 3DES for our customers on a case-by-case basis. Any of our customers that require this support will need to contact our support team by September 30, 2016 to avoid any disruption in service.
If you have any questions, please contact our support team in our Network Operations Center.