It wasn't that long ago that SSL 2.0 and then SSL 3.0 imperfections sent the security world scrambling to the safety of TLS, SSL's direct successor.  Then came BEAST, which used a combination of JavaScript and network sniffers to decrypt authentication cookies over TLS 1.0 streams.  And now we have the Lucky 13 attack that convinces TLS 1.0, TLS 1.1 and TLS 1.2 to all reveal information about the original message using a man-in-the-middle timing technique.


Fortunately, the scope of the Lucky 13 attack appears to be limited to TLS cipher suites that include CBC-mode encryption.  Unfortunately, those suites are very common and usually on by default.


However, if you own a Serv-U FTP Server or Serv-U MFT Server, you have the controls you need to enable or disable affected cipher suites built into the Serv-U Management Console.

Serv-U_Encryption_Settings_Navigation.pngServ-U_Encryption_Settings_CBC_Ciphers.png

In this case, just look for the SSL ciphers that include "CBC" and uncheck them.

FIPS 140-2 SSL Caveat


If you check Serv-U's "Enable FIPS 140-2 mode" checkbox, the "Advanced SSL Options" panel disappears.  Behind the scenes, Serv-U disables all ciphers except SHA ciphers using AES (AES256-SHA and AES128-SHA) and Triple DES (DES-CBC-3SHA).  Note that the Triple DES cipher uses CBC. In other words, if you want to retain fine control over your data in motion ciphers, you will need to leave the "Enable FIPS 140-2 mode" box unchecked.