Why does SSL Labs now consider CBC suites weak?

While CBC is fine in theory, there is always the risk that an improper implementation will subject the connection to padding oracle attacks. Time and time again, CBC implementations in TLS have shown themselves to be vulnerable, and each time an implementation is fixed, it seems yet another bug making padding oracle attacks feasible appears. Lucky Thirteen was published in 2013, and variants of this attack based on side channels keep popping up. SSL Labs is just observing history and learning from it.


Simply put, after four new CBC-exclusive attacks have been revealed, all padding oracle attacks, they want to discourage it, as per a comment from the author of the update blogpost:

We are only encouraging to move away from CBC based cipher suits after 4 new CBC based vulnerabilities. As of now, there is no grade change for CBC and servers can continue to use.

Tags:

Tls

Cbc