About these ads
Home > Security > More Details on CRIME Attack: Takes Advantage Of TLS Compression [VIDEO]

More Details on CRIME Attack: Takes Advantage Of TLS Compression [VIDEO]


More details have been released about CRIME, the brand new attack against TLS developed by Juliano Rizzo and Thai Duong.

The attack takes advantage of a flaw in the compression ratio of TLS requests wich allows the attacker to decrypt the requests made by the client to the server. The attacker is able to steal the user’s login cookie and then hijack the user’s session, impersonating him on other destinations such as banks or e-commerce sites.

Not only the attack works on any version of TLS, but also the number of requests needed for the attack to be sucessful is quite small, as low as six requests per cookie byte.

Each browsers that implements either TLS or SPDY compression (SPDY is an open standard developed by Google to speed up Web-page load times) is vulnerable. The list includes Google Chrome, Mozilla Firefox, and Amazon Silk. The attack also works against several popular Web services, such as Gmail, Twitter, Dropbox and Yahoo Mail. In any case Google and Mozilla have already developed patches to defend against the CRIME attack.

Meanwhile the researchers have released a video with the exploit in action against Dropbox and Github (which patched the servers before the release of the video).

Best way to protect yourself? Upgrade browsers to the latest version and disable compression on servers.

About these ads
  1. Alan Drabke
    September 13, 2012 at 1:16 pm

    Very superior post!

  2. Thrawn
    September 25, 2012 at 5:02 am

    There’s a 10-year-old Firefox RFE that could go a long way toward fixing the JavaScript security model:

    https://bugzilla.mozilla.org/show_bug.cgi?id=38933

    The gist of it is: any time a cross-site request is going to be sent to a site where you have cookies and/or HTTP AUTH, you get a warning dialog, and can choose to strip the cookies/auth from the request, or block it altogether, and remember your decision for next time.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 3,175 other followers