CRIME attack is shown to decrypt HTTPS web sessions

Sep 14, 2012 by Nancy Owano report

(Phys.org)—The fun of acronyms is reflected in coming up with CRIME, which stands for Compression Ratio Info-leak Made Easy. What it translates into, though, is not much fun. Two security researchers have developed the CRIME attack that can successfully decrypt session cookies from HTTPS (Hypertext Transfer Protocol Secure) connections. This, in theory, would be a serious weakness that would enable the hijacking of a user's session cookie while the user is still authenticated to a website. Encryption protocols are the Internet's fundamental safety cushion, the basic level of trust, in encrypting traffic that flows over open networks. They cryptographically confirm websites are really operated by those sites rather than cyber-criminals and spies.

Juliano Rizzo and Thai Duong devised a technique that can attack web sessions that are protected by the and Transport Layer Security protocols, only when they use certain data-compression schemes. These are compression schemes that reduce network congestion or the time it takes for webpages to load.

Security experts have noted that a downside of compression is that it leaks clues about encrypted contents. For the attack to work, a computer user's client and server hosting the targeted website need to support the vulnerable SSL/TLS features. According to reports, was never vulnerable because it never supported SPDY or the TLS compression scheme known as Deflate. Apple's doesn't support SPDY, but its use of compression is unknown.

Google and Mozilla released patches after the weaknesses were reported by the researchers. A video taken by Rizzo and Duong shows Github.com, Dropbox.com, and Stripe.com, when visited with Chrome, succumbing to the CRIME attack, but those sites had disabled compression and are no longer vulnerable. Mozilla and have prepared patches that block the attack.

This video is not supported by your browser at this time.
This is a short demo of the CRIME attack against TLS protocol.

Rizzo and Duong will take their demo of CRIME to the Buenos Aires, Argentina, security conference, Ekoparty, on September 21. Their attack technique no longer works on the most popular browsers to connect to HTTPS-protected websites, but security watchers believe this is a most useful reminder that the science of encrypton protection knows no rest.

Their CRIME exploit is the type of attack that would be a large-scale attack by geopolitical antagonists. In turn, watchers reasons are paying attention to the researchers' CRIME technique.

Explore further: LinkedIn membership hits 300 million

More information: www.ekoparty.org/2012/juliano-rizzo.php

Related Stories

Hackers target British anti-crime agency website

Jun 20, 2011

Hackers who have hit the websites of the CIA, US Senate, Sony and others during a month-long rampage claimed on Monday to have knocked the site of Britain's Serious Organized Crime Agency (SOCA) offline.

Patch for flaw in key Internet protocol

Jan 15, 2010

(PhysOrg.com) -- A flaw was found in November in a key Internet protocol that encrypts most sensitive online transactions and communications, including credit card and banking transactions. A patch has now ...

Recommended for you

LinkedIn membership hits 300 million

Apr 18, 2014

The career-focused social network LinkedIn announced Friday it has 300 million members, with more than half the total outside the United States.

Researchers uncover likely creator of Bitcoin

Apr 18, 2014

The primary author of the celebrated Bitcoin paper, and therefore probable creator of Bitcoin, is most likely Nick Szabo, a blogger and former George Washington University law professor, according to students ...

White House updating online privacy policy

Apr 18, 2014

A new Obama administration privacy policy out Friday explains how the government will gather the user data of online visitors to WhiteHouse.gov, mobile apps and social media sites. It also clarifies that ...

User comments : 0

More news stories

Ex-Apple chief plans mobile phone for India

Former Apple chief executive John Sculley, whose marketing skills helped bring the personal computer to desktops worldwide, says he plans to launch a mobile phone in India to exploit its still largely untapped ...

Airbnb rental site raises $450 mn

Online lodging listings website Airbnb inked a $450 million funding deal with investors led by TPG, a source close to the matter said Friday.

Health care site flagged in Heartbleed review

People with accounts on the enrollment website for President Barack Obama's signature health care law are being told to change their passwords following an administration-wide review of the government's vulnerability to the ...

A homemade solar lamp for developing countries

(Phys.org) —The solar lamp developed by the start-up LEDsafari is a more effective, safer, and less expensive form of illumination than the traditional oil lamp currently used by more than one billion people ...

NASA's space station Robonaut finally getting legs

Robonaut, the first out-of-this-world humanoid, is finally getting its space legs. For three years, Robonaut has had to manage from the waist up. This new pair of legs means the experimental robot—now stuck ...

Filipino tests negative for Middle East virus

A Filipino nurse who tested positive for the Middle East virus has been found free of infection in a subsequent examination after he returned home, Philippine health officials said Saturday.

Egypt archaeologists find ancient writer's tomb

Egypt's minister of antiquities says a team of Spanish archaeologists has discovered two tombs in the southern part of the country, one of them belonging to a writer and containing a trove of artifacts including reed pens ...