As of late last year, the level of trust given to the encryption standards offered by 3DES was downgraded by OpenSSL, the maker of the most common encryption software used by servers and browsers, and which sits behind much of the security of we take for granted, such as that in online banking. The reason for the downgrade in trust levels was that 3DES uses only a 64bit block size, rendering it particularly vulnerable to a birthday attack.
I discovered during a regular check of the security of this site that my instance of Apache was still willing to use 3DES in negotiating a secure connection, and thus Nessus was flagging up the issue for me. Like most, I don’t care much for having any warning flags in Nessus if I can help it, and so I went about strengthening the encryption settings by altering the SSL Cipher Suites setting in Apache. Rather than reinvent the wheel, I thought I’d best link to a site which makes a clear explanation on how you can disable 3DES in both Apache and Nginx. After making the changes to my SSL Cipher Suites and reloading Apache, a second scan in Nessus showed no use of weak ciphers, and thus a (probably) more secure server. If you’re wondering about what makes a good set of ciphers, take a look at cipherli.st for a regularly updated “best practice” sheet for the most common web servers.