The new attack on TLS developed by researchers Juliano Rizzo and Thai Duong takes advantage of an information leak in the compression ratio of TLS requests as a side channel to enable them to decrypt the requests made by the client to the server. This, in turn, allows them to grab the user’s login cookie and then hijack the user’s session and impersonate her on high-value destinations such as banks or e-commerce sites.
“Basically, the attacker is running script in Evil.com. He forces the browser to open requests to Bank.com by, for example, adding <img> tags with src pointing to Bank.com,” Rizzo said. “Each of those requests contains data from mixed sources.”
In these requests, attacker data and data produced by the browser is compressed and mixed together. Those requests can include the path, which the attacker controls, the browser’s headers, which are public, and the cookie, which should be secret.
“The problem is that compression combines all those sources together,” Rizzo added. “The attacker can sniff the packets and get the size of the requests that are sent. By changing the path, he could attempt to minimize the request size, i.e., when the file name matches the cookie.”
Rizzo and Duong have produced a video demonstrating their CRIME attack being used against several sites, including Dropbox and Github. The pair contacted the affected sites they tested and the sites have removed compression from their servers.
Rizzo said that browsers that implement either TLS or SPDY compression are known to be vulnerable. That includes Google Chrome and Mozilla Firefox, as well as Amazon Silk. But the attack also works against several popular Web services, such as Gmail, Twitter, Dropbox and Yahoo Mail. SPDY is an open standard developed by Google to speed up Web-page load times and often uses TLS encryption.
Google and Mozilla have developed patches to defend against the CRIME attack, Rizzo said, and the latest versions of Chrome and Firefox are protected. The researchers will present their results at Ekoparty next week.