New research dubbed Lucky13 reveals that SSL/TLS is at risk from a theoretical timing attack that could expose encrypted data.
Why is an attack like Lucky13 theoretically possible today? It has a lot to do with increases in available computing and networking power. Though Lucky13 is a theoretically possible attack vector, hackers will likely not be interested in weaponizing it at the current time.
“Many people don’t use HSTS, and there are plenty of opportunities to subvert SSL if you don’t have a solid SSL configuration,”
Ryan Hurst, CTO of GlobalSign, told InternetNews. “I don’t want to trivialize the Lucky13 attack. It’s cool research, but if I wanted to attack SSL I’d start with the initial connection.”
HTTP Strict Transport Security (HSTS) is a recently ratified IETF standard to help ensure that browsers connect to a website over HTTPS. Without HSTS, it is possible for a user to insecurely log into a website that they should be logging into securely via HTTPS. At the Black Hat DC 2009 event, security researcher Moxie Marlinspike released a tool called SSLstrip that is able to deceive users and Web browsers into thinking they are on an SSL/HTTPS secured site when in fact they are not.