Pen-test Finding: TLS/DTLS ‘Lucky 13’ vulnerability
Closed this issue · 2 comments
peterrowland commented
Lucky13 is a cryptographic side-channel attack against the encryption algorithms in TLS using
cipher block chaining mode, affecting TLS 1.1 and 1.2 and some earlier versions. It is so
named due to the 13 bytes of the TLS MAC header data which are in part the cause of its
vulnerability. Successful exploitation yields full plaintext for OpenSSL TLS encrypted
messages, allowing an attacker to read the full message, including session information. This
attack is similar to other Padding Oracle attacks but is more complex and requires a large
amount of data.
peterrowland commented
can't fix. Handled by AWS load balancers
mogul commented
This is a false-positive, per cloud.gov docs and ISSO concurrence.