More details have been released about CRIME, the brand new attack against TLS developed by Juliano Rizzo and Thai Duong.
The attack takes advantage of a flaw in the compression ratio of TLS requests wich allows the attacker to decrypt the requests made by the client to the server. The attacker is able to steal the user’s login cookie and then hijack the user’s session, impersonating him on other destinations such as banks or e-commerce sites.
Not only the attack works on any version of TLS, but also the number of requests needed for the attack to be sucessful is quite small, as low as six requests per cookie byte.
Each browsers that implements either TLS or SPDY compression (SPDY is an open standard developed by Google to speed up Web-page load times) is vulnerable. The list includes Google Chrome, Mozilla Firefox, and Amazon Silk. The attack also works against several popular Web services, such as Gmail, Twitter, Dropbox and Yahoo Mail. In any case Google and Mozilla have already developed patches to defend against the CRIME attack.
Meanwhile the researchers have released a video with the exploit in action against Dropbox and Github (which patched the servers before the release of the video).
Best way to protect yourself? Upgrade browsers to the latest version and disable compression on servers.
- A CRIME Against SSL/TLS Encryption (hackmageddon.com)