Gmail will soon stop support for the 3DES encryption cipher for incoming SMTP
18 comments
·May 8, 2025londons_explore
aspenmayer
Email on Gmail (or on any cloud email service provider subject to US jurisdiction) older than 180 days is available upon request without a warrant.
> Under ECPA, it is relatively easy for a government agency to demand service providers hand over personal consumer data stored on the service provider's servers. Email that is stored on a third party's server for more than 180 days is considered by the law to be abandoned. All that is required to obtain the content of the emails by a law enforcement agency is a written statement certifying that the information is relevant to an investigation, without judicial review.
https://en.wikipedia.org/wiki/Electronic_Communications_Priv...
SchemaLoad
Was Gmail actively sending emails with this? Or just not blocking emails from other servers using it? Breaking email deliverability is a pretty serious action to take.
null
behringer
The broken systems would have repaired their systems 8 years ago when users complained.
agildehaus
3DES isn't as easy to exploit versus, say SSLv3 and RC4 which were both quickly removed.
zzq1015
Probably not just that. 3DES is the last cipher supported by "old" clients (I'm talking Windows XP). If you remove 3DES, the TLS connection will simply fail.
You can never imagine how many people are still using WinXP, or other forgotten legacy clients/servers that only support up to TLS 1.0 and RC4/DES/3DES without realizing it.
timewizard
Triple DES was always just sort of funny to me. "DES is completely broken. So we'll just do it three times in a row now." Well, fun while it lasted, I guess.
NicolaiS
Biggest reason to avoid DES is the short key. Double-DES doesn't fix that due to the meet-in-the-middle attack. Triple DES "solves" the short key problem.
zzq1015
DES is weak because it only uses 56 bits, and you can brute force it. 3DES has 168 (56*3) bits with the security of 112 (56*2) bits.
Meekro
Can someone explain why this is important enough to land on the HN front page? Are people being inconvenienced by this or something?
DaiPlusPlus
Statistically, someone, somewhere, has a VAX box that hasn't been rebooted since before the fall of the Soviet Union, running their org's MTA with a comically outdated cryptosuite. Anyone running vaxen that old is bound to be a regular here on HN.
zzq1015
I had no idea that you can filter/reject certain TLS versions/ciphers before seeing this on the HN front page.
andreareina
To me it’s surprising in the sense that it was even still supported.
cedilla
Because it's interesting?
The 3DES saga is still ongoing...
syeare
I can't explain it, no unfortunately
But what about someone maintaining and developing, say, an obscure e-mail client?
foobarkey
Crqpping on google is meta
fishgoesblub
My reading has gotten worse over the years, it took me multiple times re-reading to realise this isn't deprecating Gmail on the Nintendo 3DS.
Don't worry - it only took 9 years between 3DES being publicly known to have severe vulnerabilities and Google deciding it isn't appropriate for protecting perhaps the most sensitive dataset in the world (private emails).
CVE-2016-2183...