There is a feature supported by the SSL/TLS encryption standard and used by most of the major browsers that leaks enough information about encrypted sessions to enable attackers decrypt users’ supposedly protected cookies and hijack their sessions. The researchers who developed the attack that exploits this weakness say that all versions of TLS are affected, including TLS 1.2, and that the cipher suite used in the encrypted session makes no difference in the success of the attack.
The attack was developed by researchers Juliano Rizzo and Thai Duong, the same pair who last year released details of a similar attack on SSL/TLS and wrote a tool called BEAST, which also gave them the ability to decrypt users’ cookies and hijack sessions with sensitive sites such as e-commerce or online banking sites. That attack targeted a specific problem with the AES (Advanced Encryption Standard) algorithm as it was implemented in TLS 1.0 and SSL 3.0 and were able to use the BEAST tool to grab encrypted cookies from active user sessions that were supposedly protected by SSL/TLS.
Once they had the cookie, Rizzo and Duong could return to whatever site the user was visiting and log in using her credentials. The attack caused quite a stir in the security and cryptography communities and browser vendors were forced to issue fixes. One of the workarounds that defeated BEAST (Browser Exploit Against SSL/TLS) was to switch from TLS 1.0 to TLS 1.2 or to switch from AES to the RC4 cipher suite. However, Rizzo said that defense won’t work against their new attack, which they’ve dubbed CRIME.
The researchers plan to present their findings at the Ekoparty conference in Argentina later this month and are not revealing exactly which feature of SSL/TLS is providing the information leak, but they said that the new attack works much like the BEAST attack. Once they have a man-in-the-middle position on a given network, they can sniff HTTPS traffic and launch the attack.
“By running JavaScript code in the browser of the victim and sniffing HTTPS traffic, we can decrypt session cookies. We don’t need to use any browser plug-in and we use JavaScript to make the attack faster but in theory we could do it with static HTML,” Rizzo said.
Right now, Rizzo said, both Mozilla Firefox and Google Chrome are vulnerable to the attack. However, the researchers said that the browser vendors have developed patches for the problem that will be released in the next few weeks.
“We need to load JavaScript code into the victim’s browser and sniff the HTTPS traffic. All SSL/TLS versions including TLS 1.2 are affected if the implementation supports the feature that we abuse to leak information about the encrypted data,” Rizzo said. “The cipher-suite being used doesn’t matter, a workaround for BEAST was switching from AES to RC4 but for CRIME this is not important. The feature must be supported by the client and the server.”
Rizzo said that the specific feature in TLS that he and Duong are using in this attack has not been a major subject of security research in the past.
“The risk of implementing the feature has been superficially discussed before. However we haven’t found previous research showing how efficient an attack could be or any attempt by the authors of secure protocols to avoid the problem,” he said.
Although the CRIME attack can use JavaScript, it’s not required. Rizzo said that it really shouldn’t be possible to hijack a user’s session with one site just by loading JavaScript into the victim’s browser from a separate site. But that’s exactly what the new attack allows him to do.
In addition to their work developing the BEAST attack, Rizzo and Duong in 2011 also developed a padding oracle attack on Microsoft’s ASP.NET that affected millions of applications and forced the software giant to issue an emergency patch.