Nadhem Alfardan and Kenny Paterson devised an attack that recovers some bits of the plaintext of a GnuTLS session that utilizes that CBC ciphersuites, by using timing information.

In order for the attack to work the client must operate as follows. It connects to a server, it sends some (encrypted) data that will be intercepted by the attacker, who will terminate the client's connection abnormally (i.e. the client will receive a premature termination error). The client should repeat that, multiple times.

Who is affected by this attack?

• Clients that repeatedly reconnect and transfer the same data, after a TLS fatal error occurs.

How to mitigate the attack?

• Do not enable the CBC ciphersuites, prefer ARCFOUR or GCM modes.
• Upgrade to the latest GnuTLS version (3.1.7, 3.0.28, or 2.12.23).