Demo of the CRIME TLS Attack

Author: Dennis Fisher

September 13, 2012 1:56 am

Security researchers Juliano Rizzo and Thai Duong have developed a new attack called CRIME on the TLS protocol that uses the compression ratio in TLS requests as a side channel to gather information that enables them to decrypt the requests and extract users’ cookies.

Security researchers Juliano Rizzo and Thai Duong have developed a new attack called CRIME on the TLS protocol that uses the compression ratio in TLS requests as a side channel to gather information that enables them to decrypt the requests and extract users’ cookies. The attack works against both the TLS layer and the application layer and many major browsers, including Chrome and Firefox, are vulnerable. This video shows one of their exploits in action.

Suggested articles

data dump

6 Questions Attackers Ask Before Choosing an Asset to Exploit

David “moose” Wolpoff at Randori explains how hackers pick their targets, and how understanding “hacker logic” can help prioritize defenses.

unpatched urgent/11 cdpwn

Millions of Unpatched IoT, OT Devices Threaten Critical Infrastructure

Industrial, factory and medical gear remain largely unpatched when it comes to the URGENT/11 and CDPwn groups of vulnerabilities.

D-Link Routers at Risk for Remote Takeover from Zero-Day Flaws

Critical vulnerabilities discovered by Digital Defense can allow attackers to gain root access and take over devices running same firmware.