Editing Transport Layer Security (section)

====Timing attacks on padding====
Earlier TLS versions were vulnerable against the [[padding oracle attack]] discovered in 2002. A novel variant, called the [[Lucky Thirteen attack]], was published in 2013.

Some experts<ref name="best-practices"/> also recommended avoiding [[triple DES]] CBC. Since the last supported ciphers developed to support any program using [[Windows XP]]'s SSL/TLS library like Internet Explorer on Windows XP are [[RC4]] and Triple-DES, and since RC4 is now deprecated (see discussion of [[talk:RC4|RC4 attacks]]), this makes it difficult to support any version of SSL for any program using this library on XP.

A fix was released as the Encrypt-then-MAC extension to the TLS specification, released as {{IETF RFC|7366}}.<ref>{{cite IETF|publisher=Internet Engineering Task Force|rfc=7366|title=Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)|date=September 2014|author=P. Gutmann}}</ref> The Lucky Thirteen attack can be mitigated in TLS 1.2 by using only AES_GCM ciphers; AES_CBC remains vulnerable. SSL may safeguard email, VoIP, and other types of communications over insecure networks in addition to its primary use case of secure data transmission between a client and the server.<ref name=":0" />