Amazon 之前放 s2n 出來當作 TLS protocol 的方案，於是就有人摸出東西來：「Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS」。
即使是經過外部資安檢證，仍然還是有找到問題。這次找到的問題是 timing attack 類在 CBC-mode 下的 plaintext recovery：
At the time of its release, Amazon announced that s2n had undergone three external security evaluations and penetration tests. We show that, despite this, s2n - as initially released - was vulnerable to a timing attack in the case of CBC-mode ciphersuites, which could be extended to complete plaintext recovery in some settings.
Our attack has two components. The first part is a novel variant of the Lucky 13 attack that works even though protections against Lucky 13 were implemented in s2n. The second part deals with the randomised delays that were put in place in s2n as an additional countermeasure to Lucky 13. Our work highlights the challenges of protecting implementations against sophisticated timing attacks.
It also illustrates that standard code audits are insufficient to uncover all cryptographic attack vectors.
Amazon 的官方說明則在「s2n and Lucky 13」這邊可以看到。