In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade s2n-tls
to version 0.2.7 or higher.
s2n-tls is a crate provides ergonomic, idiomatic Rust bindings for s2n-tls. From the s2n-tls readme:
Affected versions of this package are vulnerable to Observable Timing Discrepancy due to the handling of RSA premaster secrets when an invalid secret is received. An attacker can potentially observe timing differences by exploiting the additional processing performed when the premaster secret contains an incorrect client hello version.
Note
This is only exploitable if server applications permit RSA key exchange without using the default, built-in blinding feature, or properly implemented self-service blinding.
This vulnerability can be mitigated by using an s2n-tls security policy that disallows RSA key exchange.