Ivan Ristic, director of engineering at security firm Qualys, agrees that the Lucky Thirteen attacks are practical for DTLS, but not practical in their current form for TLS. Nevertheless, the research is significant from an academic standpoint, he said Tuesday via email.
Web server administrators have the option of prioritizing a cipher suite that's not affected by these types of attack in their HTTPS implementations. For many, the only choice is RC4, a stream cipher that dates back to 1987.
"There's a wide dislike of RC4 because of its known flaws (none of which apply or applied to SSL/TLS), but we haven't yet seen a working attack against RC4 as used in TLS," Ristic said. "In that sense, even though RC4 is not ideal, it appears to be stronger than the alternatives currently available in TLS 1.0."
TLS 1.2 supports AES-GCM (AES Galois Counter Mode), a more modern cipher suite that's also not vulnerable to these types of attack. However, the overall adoption of TLS 1.2 is currently low.
According to data from SSL Pulse, a project created by Qualys to monitor the quality of SSL/TLS support across the Web, only 11 percent of the Internet's top 177,000 HTTPS websites have support for TLS 1.2.
"I think this discovery will be yet another reason to speed up TLS 1.2 deployment," Ristic said.
This is not the first time people have suggested prioritizing RC4 in TLS to prevent padding oracle attacks. The same thing happened two years ago when the BEAST (Browser Exploit Against SSL/TLS) attack was announced.
"From the most recent SSL Pulse results (January), we know that 66.7% of the servers are vulnerable to the BEAST attack, which means that they do not prioritize RC4," Ristic said. "Of those, a small number will support TLS 1.2 and may prioritize a non-CBC suite supported only in this version of the protocol. However, because so few browsers support TLS 1.2, I think we can estimate that about 66% of the servers will negotiate CBC."
Sign up for CIO Asia eNewsletters.