LUCKY13 attack on Azure Front Door with TLS 1.2

Rasmus Larsen 30 Reputation points
2023-02-27T08:19:42.9133333+00:00

Hi there,

We currently have a solution that utilizes the Front Door setup with a custom domain and an AFD managed certificate. It has been configured to meet the minimum requirement of TLS 1.2.

However, during a pen-test phase, it was discovered that the cipher suites used include CBC, which is outdated and susceptible to the LUCKY13 attack. Here is a reference link to the attack: https://crashtest-security.com/prevent-ssl-lucky13/

And here is the cipher suite documented for Front-Door: https://learn.microsoft.com/en-us/azure/frontdoor/end-to-end-tls?pivots=front-door-standard-premium#supported-cipher-suites

We would like to know if there is a way to disable these ciphers, and if not we are interested in any online documentation that describes how Microsoft prevents LUCKY13 attacks against Front Door.

Thank you.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
678 questions
{count} votes

Accepted answer
  1. ChaitanyaNaykodi-MSFT 26,101 Reputation points Microsoft Employee
    2023-03-02T03:43:24.7433333+00:00

    @Rasmus Larsen

    Thank you for your patience here. I got a response back from the team.

    Currently disabling specific ciphers is not supported for Azure Front Door. The team is working on this feature, and it will be rolled out soon.

    The suggested work around in this case is to configure the client to not use the weak ciphers. Thank you!

    Hope this helps!


    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.