Nadhem AlFardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London, announced a new TLS/DTLS attack called Lucky Thirteen. The attack allows a man-in-the-middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode (cipher-block chaining) encryption is used.
The attack exploits a problem with the TLS specification and not a bug in specific implementations. This is not a problem with certification authorities or issued SSL/TLS certificates.
Lucky Thirteen uses a known timing attack previously believed to be impractical. There is a subtle timing bug in the way that TLS data decryption works when using the (standard) CBC-mode ciphersuite. Given the right set of circumstances, an attacker can use this to decrypt sensitive information, such as passwords and cookies.
The attacks apply to all implementations that conform to TLS version 1.1 or 1.2, or DTLS version 1.0 or 1.1. They also apply to implementations of SSL 3.0 and TLS 1.0 that have countermeasures designed to defeat a previous padding oracle attack discovered several years ago. All TLS and DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.
The attack is borderline practical if you're using the Datagram version of TLS (DTLS). It's more on the theoretical side if you're using standard TLS. However, per the cryptographer's adage: attacks always get better, they never get worse. As such, it makes sense to implement countermeasures as they become available.
In the short term, a website operator can temporarily set the ciphersuite preferences to RC4. This may have already been done to mitigate BEAST.
The long-term solution will be to deploy patches. The security researchers have worked with a number of TLS and DTLS software developers to allow them to prepare patches and advisories. The researchers provide the following status: