New "Lucky Thirteen" SSL Vulnerabilities: CloudFlare Users Protected
On February 4, 2013, a new SSL vulnerability known as the Lucky Thirteen was announced. Although TLS 1.1/1.2 do not fix this issue, it is theoretically difficult to exploit and requires creating numerous connections and measuring timing differences. CloudFlare's default SSL configuration protects against this attack by deprioritizing the vulnerable cipher. To ensure protection from the new vulnerability, users should upgrade their OpenSSL or NGINX versions when a patch is released and prioritize the RC4 cipher in their web server settings.
Company
Cloudflare
Date published
Feb. 4, 2013
Author(s)
Matthew Prince
Word count
297
Hacker News points
None found.
Language
English