Last Updated on May 24, 2015

More details have been released about CRIME, the brand new attack against TLS developed by Juliano Rizzo and Thai Duong.

The attack takes advantage of a flaw in the compression ratio of TLS requests wich allows the attacker to decrypt the requests made by the client to the server. The attacker is able to steal the user’s login cookie and then hijack the user’s session, impersonating him on other destinations such as banks or e-commerce sites.

Not only the attack works on any version of TLS, but also the number of requests needed for the attack to be sucessful is quite small, as low as six requests per cookie byte.

Each browsers that implements either TLS or SPDY compression (SPDY is an open standard developed by Google to speed up Web-page load times) is vulnerable. The list includes Google Chrome, Mozilla Firefox, and Amazon Silk. The attack also works against several popular Web services, such as Gmail, Twitter, Dropbox and Yahoo Mail. In any case Google and Mozilla have already developed patches to defend against the CRIME attack.

Meanwhile the researchers have released a video with the exploit in action against Dropbox and Github (which patched the servers before the release of the video).

Best way to protect yourself? Upgrade browsers to the latest version and disable compression on servers.


This Post Has 2 Comments

  1. Thrawn

    There’s a 10-year-old Firefox RFE that could go a long way toward fixing the JavaScript security model:

    The gist of it is: any time a cross-site request is going to be sent to a site where you have cookies and/or HTTP AUTH, you get a warning dialog, and can choose to strip the cookies/auth from the request, or block it altogether, and remember your decision for next time.

  2. Alan Drabke

    Very superior post!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.