Subscribe to receive notifications of new posts:

New "Lucky Thirteen" SSL Vulnerabilities: CloudFlare Users Protected

2013-02-04

1 min read
New

CloudFlare often gets early word of new vulnerabilities before they are released. Last week we got word that today (Monday, February 4, 2013) there would be a new SSL vulnerability announced. This vulnerability follows the BEAST and CRIME vulnerabilities that have been discovered over the last 18 months. The bad news is that TLS 1.1/1.2 do not fix the issue.

The vulnerabilities are known as the Lucky Thirteen.

New

The good news is that our analysis of the newest vulnerability suggests that, while theoretically possible, it is fairly difficult to exploit. It is a timing attack and you'd need to create a fairly large number of connections and measure the differences in timing. That's possible, but non-trivial.

That said, at CloudFlare we want to ensure that even remote risks are fully mitigated. In this case, the good news is CloudFlare's SSL configuration is, by default, not generally vulnerable to the new attack. Specifically, because we deprioritize the vulnerable SSL cipher, it makes anyone using a modern browser invulnerable to the attack when visiting a CloudFlare-protected site over an SSL connection.

While the easiest way to ensure that your site is protected from the new vulnerability is to sign up for CloudFlare's service, if you haven't gotten around to that yet then there are some steps you should take. First, when a new version of OpenSSL is released that removes this vulnerability, which we expect will happen in the next few weeks, you should upgrade. Second, you should prioritize the RC4 cipher in your web server above others as it isn't vulnerable.

Here's the Apache SSL cipher suite configuration we'd recommend:

SSLProtocol -ALL +SSLv3 +TLSv1SSLCipherSuite ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDHSSLHonorCipherOrder on

Here's the NGINX SSL cyber suite configuration we'd recommend:

ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;ssl_prefer_server_ciphers on;

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
TLSSSLVulnerabilitiesSecurity

Follow on X

Matthew Prince|@eastdakota
Cloudflare|@cloudflare

Related posts

October 08, 2024 1:00 PM

Cloudflare acquires Kivera to add simple, preventive cloud security to Cloudflare One

The acquisition and integration of Kivera broadens the scope of Cloudflare’s SASE platform beyond just apps, incorporating increased cloud security through proactive configuration management of cloud services. ...

October 06, 2024 11:00 PM

Enhance your website's security with Cloudflare’s free security.txt generator

Introducing Cloudflare’s free security.txt generator, empowering all users to easily create and manage their security.txt files. This feature enhances vulnerability disclosure processes, aligns with industry standards, and is integrated into the dashboard for seamless access. Strengthen your website's security today!...

October 02, 2024 1:00 PM

How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

Over the past couple of weeks, Cloudflare's DDoS protection systems have automatically and successfully mitigated multiple hyper-volumetric L3/4 DDoS attacks exceeding 3 billion packets per second (Bpps). Our systems also automatically mitigated multiple attacks exceeding 3 terabits per second (Tbps), with the largest ones exceeding 3.65 Tbps. The scale of these attacks is unprecedented....