the "crime" attack on TLS

Nikos Mavrogiannopoulos nmav at
Thu Sep 13 13:15:43 CEST 2012

 If you're not already aware there is a new attack on TLS called
"crime". I was asked by the author of this attack not to disclose any
information, but it seems it is public already [0] so I can comment on
it. That attack takes advantage of compression and by forcing an HTTPS
client to use carefully formatted data it may be able to guess the
contents of other non-controlled by the attacker data, based on the
compressed size. Because there is no formal description of the attack,
nor a precise use-case where the attack is considered dangerous, and
due to that there may be overreactions. The attack works when you have
compression enabled and data from an adversary can be mixed with
sensitive data (e.g. a URL that is provided by an adversary is mixed
with secret cookie data in an HTTPS request). Moreover the adversary
must be able to invoke multiple trials (e.g. force a user to visit
specially crafted URLs again and again - perhaps by using javascript).

So currently the threat is mostly on the HTTPS protocol and especially
browsers. To sum up.

* Who does this attack affect:
1. clients or servers that use compression and provide the ability to
an adversary to inject data (multiple times) in their session.

* How to mitigate the attack?
1. Do not enable compression (gnutls' doesn't enable it by default)
2. When using compression use the CBC ciphers that include a random
padding up to 255 bytes. That would increase the number of trials an
attacker needs to perform significantly.
3. Make sure that even if you must mix adversary-controlled data with
sensitive data, that the adversary cannot trigger that multiple times.

I'll add a recommendation on the web site later today.



More information about the Gnutls-devel mailing list