the "crime" attack on TLS

Alfredo Pironti alfredo.pironti at inria.fr
Thu Sep 13 14:52:46 CEST 2012 

Hello,

Indeed, compression-based attacks on TLS have been known for a while
[1], but it is interesting that this can be exploited at the
browser-end.

Best,
Alfredo

[1] https://www.cosic.esat.kuleuven.be/ecrypt/provpriv2012/abstracts/barghavan.pdf


On Thu, Sep 13, 2012 at 1:14 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> Hello,
>  If you're not already aware there is a new attack on TLS called
> "crime". I was asked by the author of this attack not to disclose any
> information, but it seems it is public already [0] so I can comment on
> it. That attack takes advantage of compression and by forcing an HTTPS
> client to use carefully formatted data it may be able to guess the
> contents of other non-controlled by the attacker data, based on the
> compressed size. Because there is no formal description of the attack,
> nor a precise use-case where the attack is considered dangerous, and
> due to that there may be overreactions. The attack works when you have
> compression enabled and data from an adversary can be mixed with
> sensitive data (e.g. a URL that is provided by an adversary is mixed
> with secret cookie data in an HTTPS request). Moreover the adversary
> must be able to invoke multiple trials (e.g. force a user to visit
> specially crafted URLs again and again - perhaps by using javascript).
>
> So currently the threat is mostly on the HTTPS protocol and especially
> browsers. To sum up.
>
> * Who does this attack affect:
> 1. clients or servers that use compression and provide the ability to
> an adversary to inject data (multiple times) in their session.
>
> * How to mitigate the attack?
> 1. Do not enable compression (gnutls' doesn't enable it by default)
> 2. When using compression use the CBC ciphers that include a random
> padding up to 255 bytes. That would increase the number of trials an
> attacker needs to perform significantly.
> 3. Make sure that even if you must mix adversary-controlled data with
> sensitive data, that the adversary cannot trigger that multiple times.
>
> I'll add a recommendation on the web site later today.
>
> regards,
> Nikos
>
> [0]. http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
>
> _______________________________________________
> Help-gnutls mailing list
> Help-gnutls at gnu.org
> https://lists.gnu.org/mailman/listinfo/help-gnutls

More information about the Gnutls-help mailing list