Fix wording of ChangeLog and 3DES_REMOVE docs

ChangeLog

@@ -8,7 +8,12 @@ Features
      at the cost of additional lifetime constraints on the input
      buffer, but at the benefit of reduced RAM consumption.
    * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
-     from the default list (inactive by default).
+     from the default list (enabled by default). See
+     https://sweet32.info/SWEET32_CCS16.pdf.
+
+API Changes
+   * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
+     See the Features section for more information.
 
 Bugfix
    * Fix a compilation issue with mbedtls_ecp_restart_ctx not being defined
@@ -53,10 +58,6 @@ Changes
    * Ensure that ssl-opt.h can be run in OS X. #2029
    * Ciphersuites based on 3DES now have the lowest priority by default.
 
-API Changes
-   * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
-     See the Features section for more information.
-
 = mbed TLS 2.16.0 branch released 2018-12-21
 
 Features

include/mbedtls/config.h

@@ -696,6 +696,13 @@
  * to enable (some of) them with mbedtls_ssl_conf_ciphersuites() by including
  * them explicitly.
  *
+ * A man-in-the browser attacker can recover authentication tokens sent through
+ * a TLS connection using a 3DES based cipher suite (see "On the Practical
+ * (In-)Security of 64-bit Block Ciphers" by Karthikeyan Bhargavan and Gaëtan
+ * Leurent, see https://sweet32.info/SWEET32_CCS16.pdf). If this attack falls
+ * in your threat model or you are unsure, then you should keep this option
+ * enabled to remove 3DES based cipher suites.
+ *
  * Comment this macro to keep 3DES in the default ciphersuite list.
  */
 #define MBEDTLS_REMOVE_3DES_CIPHERSUITES