Resolved: Fastly “forward secrecy” vulnerability
November 16, 2016
On Monday, November 14, 2016, security researchers published a paper “Measuring the Security Harm of TLS Crypto Shortcuts.” Among other findings across the TLS implementation of several sites, the paper identified Fastly as not frequently rotating TLS session tickets, limiting the effectiveness of forward secrecy.
While Fastly was not directly contacted by the researchers, Fastly had previously been made aware of the issue, and this vulnerability was addressed on Friday, November 11. No customer action is required to benefit from the fix.
Prior to the fix, in the unlikely case that a Fastly TLS key is compromised, an attacker would be able to decrypt both live user traffic, and any previously collected traffic between clients and Fastly edge nodes that used the compromised key.
Fix / workarounds
On Friday, November 11, Fastly rolled out frequent session ticket rotations across the Fastly public CDN. As of that date, all customers benefit from strong forward secrecy and the vulnerability has been remediated.
TLS session tickets are a method of TLS session resumption described in more detail in RFC 5077. It is used by TLS servers to resume sessions and avoid keeping per-client session states, by encapsulating the session state in a ticket and forwarding it to a client, who can then use the ticket to resume the session.
The paper “Measuring the Security Harm of TLS Crypto Shortcuts” was presented on November 14 at the 2016 ACM Internet Measurement Conference.