LUCKY13 attack on Azure Front Door with TLS 1.2

Rasmus Larsen 0 Reputation points
2023-02-27T08:19:42.9133333+00:00

Hi there,

We currently have a solution that utilizes the Front Door setup with a custom domain and an AFD managed certificate. It has been configured to meet the minimum requirement of TLS 1.2.

However, during a pen-test phase, it was discovered that the cipher suites used include CBC, which is outdated and susceptible to the LUCKY13 attack. Here is a reference link to the attack: https://crashtest-security.com/prevent-ssl-lucky13/

And here is the cipher suite documented for Front-Door: https://learn.microsoft.com/en-us/azure/frontdoor/end-to-end-tls?pivots=front-door-standard-premium#supported-cipher-suites

We would like to know if there is a way to disable these ciphers, and if not we are interested in any online documentation that describes how Microsoft prevents LUCKY13 attacks against Front Door.

Thank you.

Azure Front Door
Azure Front Door
An Azure service that provides a cloud content delivery network with threat protection.
360 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 11,261 Reputation points Microsoft Employee
    2023-03-02T03:43:24.7433333+00:00

    @Rasmus Larsen

    Thank you for your patience here. I got a response back from the team.

    Currently disabling specific ciphers is not supported for Azure Front Door. The team is working on this feature, and it will be rolled out soon.

    The suggested work around in this case is to configure the client to not use the weak ciphers. Thank you!

    Hope this helps!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.