Amazon Web Services is one of the most commonly used cloud platforms in the world. However, as it turns out, the custom encryption and authentication layer was not as secure as originally assumed. A potential weakness has been identified in a code library protecting AWS, despite passing three different external penetration tests.
Also read: 21 Bitcoin Computer Review
AWS Cryptographic Vulnerability Was a Serious Threat
Amazon’s TLS implementation was originally designed to be a more secure and less complex form of encrypting and authenticating Web sessions. This implementation, called s2n, is based on the vast OpenSSL library while containing less than 10% of the number of code lines in the library itself. While this was originally touted as a key security feature, it turns out it could be the downfall of AWS;
It took security researchers all of five days to discover the vulnerability in AWS’ s2n, and a report was presented to Amazon engineers. As it turns out, a TLS attack unveiled back in 2013 – called “Lucky 13” – can pose a serious threat to the cryptographic security layer protecting AWS.
If an assailant were to pull off this Lucky 13 attack against AWS, they would be able to recover encrypted browser cookies used to access restricted parts of a website. Luckily for all parties involved, Amazon engineers were on the ball to address the situation, and the vulnerability was patched rather quickly.
Even though this vulnerability is no longer a threat to this day, this story just goes to show how difficult it is to provide proper security layers. Even a company like Amazon, who can hire the best engineers and security experts in the world, can face major vulnerabilities when developing their security standard.
There is nothing wrong with attempting to create a new implementation of an existing cryptographic security standard. Ensuring the entire layer is safe by conducting third-party audits and pen testing is the best approach to this concept. However, even those tests can fail to unveil a security threat. Even though most modern browsers and platforms are immune to Lucky 13 attacks to begin with, there is still a small portion of legacy systems that could pose a risk.
Cryptographic Security Is a Serious Matter To Bitcoin Companies
Knowing that even companies like Amazon can turn out to be vulnerable to these types of attack poses a serious question for Bitcoin companies. As these platforms are involved in protecting customer details and funds, it is of the utmost important to ensure the platforms are as secure as they possibly can be.
Most of the Bitcoin companies active today rely on cryptographic security, and this would be a good time to ensure their implementations are all working correctly and without flaws. Third-party audits are a good way to ensure security is working as intended, and we can only hope Bitcoin companies do everything they can to keep customer data and funds safe.
What are your thoughts on the story about AWS being vulnerable to such an outdated attack? Are you worried about Bitcoin companies not doing enough to provide optimum security? Let us know in the comments below!
Source: Ars Technica
