CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions

The new attack on TLS developed by researchers Juliano Rizzo and Thai Duong takes advantage of an information leak in the compression ratio of TLS requests as a side channel to enable them to decrypt the requests made by the client to the server. This, in turn, allows them to grab the user’s login cookie and then hijack the user’s session and impersonate her on high-value destinations such as banks or e-commerce sites.

The new attack on TLS developed by researchers Juliano Rizzo and Thai Duong takes advantage of an information leak in the compression ratio of TLS requests as a side channel to enable them to decrypt the requests made by the client to the server. This, in turn, allows them to grab the user’s login cookie and then hijack the user’s session and impersonate her on high-value destinations such as banks or e-commerce sites.

The attack, known as CRIME, works on any version of TLS and the number of requests that the attacker needs to make in order to execute it is quite small, as low as six requests per cookie byte. The implications of the attack are considerable, given how widely TLS is used and the implicit trust that’s the key to its utility. Rizzo and Duong’s attack–their second such attack on TLS and SSL in the last two years–improves upon their previous results in that it doesn’t necessarily require the use of JavaScript and it can’t be defeated by changing to a different ciphersuite.

“Basically, the attacker is running script in Evil.com. He forces the browser to open requests to Bank.com by, for example, adding <img> tags with src pointing to Bank.com,” Rizzo said. “Each of those requests contains data from mixed sources.”
In these requests, attacker data and data produced by the browser is compressed and mixed together. Those requests can include the path, which the attacker controls, the browser’s headers, which are public, and the cookie, which should be secret.

“The problem is that compression combines all those sources together,” Rizzo added. “The attacker can sniff the packets and get the size of the requests that are sent. By changing the path, he could attempt to minimize the request size, i.e., when the file name matches the cookie.”

Rizzo and Duong have produced a video demonstrating their CRIME attack being used against several sites, including Dropbox and Github. The pair contacted the affected sites they tested and the sites have removed compression from their servers.

Last year, Rizzo and Duong presented a similar attack called BEAST at the Ekoparty conference in Argentina. That technique enabled them to hijack SSL sessions by stealing users’ secure cookies through JavaScript injection into the browser. That technique relied on a block-wise chosen-plaintext attack against the AES encryption algorithm and one defense against it was switching to RC4 encryption. That defense won’t work against CRIME.

Rizzo said that browsers that implement either TLS or SPDY compression are known to be vulnerable. That includes Google Chrome and Mozilla Firefox, as well as Amazon Silk. But the attack also works against several popular Web services, such as Gmail, Twitter, Dropbox and Yahoo Mail. SPDY is an open standard developed by Google to speed up Web-page load times and often uses TLS encryption.

Google and Mozilla have developed patches to defend against the CRIME attack, Rizzo said, and the latest versions of Chrome and Firefox are protected. The researchers will present their results at Ekoparty next week. 

Suggested articles