CRIME attack is shown to decrypt HTTPS web sessions

September 14, 2012 by Nancy Owano, Phys.org report

(Phys.org)—The fun of acronyms is reflected in coming up with CRIME, which stands for Compression Ratio Info-leak Made Easy. What it translates into, though, is not much fun. Two security researchers have developed the CRIME attack that can successfully decrypt session cookies from HTTPS (Hypertext Transfer Protocol Secure) connections. This, in theory, would be a serious weakness that would enable the hijacking of a user's session cookie while the user is still authenticated to a website. Encryption protocols are the Internet's fundamental safety cushion, the basic level of trust, in encrypting traffic that flows over open networks. They cryptographically confirm websites are really operated by those sites rather than cyber-criminals and spies.

Juliano Rizzo and Thai Duong devised a technique that can attack web sessions that are protected by the and Transport Layer Security protocols, only when they use certain data-compression schemes. These are compression schemes that reduce network congestion or the time it takes for webpages to load.

Security experts have noted that a downside of compression is that it leaks clues about encrypted contents. For the attack to work, a computer user's client and server hosting the targeted website need to support the vulnerable SSL/TLS features. According to reports, was never vulnerable because it never supported SPDY or the TLS compression scheme known as Deflate. Apple's doesn't support SPDY, but its use of compression is unknown.

Google and Mozilla released patches after the weaknesses were reported by the researchers. A video taken by Rizzo and Duong shows Github.com, Dropbox.com, and Stripe.com, when visited with Chrome, succumbing to the CRIME attack, but those sites had disabled compression and are no longer vulnerable. Mozilla and have prepared patches that block the attack.

This is a short demo of the CRIME attack against TLS protocol.

Rizzo and Duong will take their demo of CRIME to the Buenos Aires, Argentina, security conference, Ekoparty, on September 21. Their attack technique no longer works on the most popular browsers to connect to HTTPS-protected websites, but security watchers believe this is a most useful reminder that the science of encrypton protection knows no rest.

Their CRIME exploit is the type of attack that would be a large-scale attack by geopolitical antagonists. In turn, watchers reasons are paying attention to the researchers' CRIME technique.

Explore further: Hackers target British anti-crime agency website

More information: www.ekoparty.org/2012/juliano-rizzo.php

Related Stories

Hackers target British anti-crime agency website

June 20, 2011

Hackers who have hit the websites of the CIA, US Senate, Sony and others during a month-long rampage claimed on Monday to have knocked the site of Britain's Serious Organized Crime Agency (SOCA) offline.

Patch for flaw in key Internet protocol

January 15, 2010

(PhysOrg.com) -- A flaw was found in November in a key Internet protocol that encrypts most sensitive online transactions and communications, including credit card and banking transactions. A patch has now been developed ...

Recommended for you

Balancing nuclear and renewable energy

April 25, 2018

Nuclear power plants typically run either at full capacity or not at all. Yet the plants have the technical ability to adjust to the changing demand for power and thus better accommodate sources of renewable energy such as ...

Researchers 3-D print electronics and cells directly on skin

April 25, 2018

In a groundbreaking new study, researchers at the University of Minnesota used a customized, low-cost 3D printer to print electronics on a real hand for the first time. The technology could be used by soldiers on the battlefield ...

Electrode shape improves neurostimulation for small targets

April 24, 2018

A cross-like shape helps the electrodes of implantable neurostimulation devices to deliver more charge to specific areas of the nervous system, possibly prolonging device life span, says research published in March in Scientific ...

China auto show highlights industry's electric ambitions

April 22, 2018

The biggest global auto show of the year showcases China's ambitions to become a leader in electric cars and the industry's multibillion-dollar scramble to roll out models that appeal to price-conscious but demanding Chinese ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.