the "crime" attack on TLS

Alfredo Pironti alfredo.pironti at inria.fr
Thu Sep 13 14:55:53 CEST 2012 

Hello,

Indeed, compression-based attacks on TLS have been known for a while
[1], but it is interesting that this can be exploited at the
browser-end.

Best,
Alfredo

[1] https://www.cosic.esat.kuleuven.be/ecrypt/provpriv2012/abstracts/barghavan.pdf

(Sorry, re-posting on gnutls-devel, as the previous address was wrong)

> On Thu, Sep 13, 2012 at 1:14 PM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>> Hello,
>>  If you're not already aware there is a new attack on TLS called
>> "crime". I was asked by the author of this attack not to disclose any
>> information, but it seems it is public already [0] so I can comment on
>> it. That attack takes advantage of compression and by forcing an HTTPS
>> client to use carefully formatted data it may be able to guess the
>> contents of other non-controlled by the attacker data, based on the
>> compressed size. Because there is no formal description of the attack,
>> nor a precise use-case where the attack is considered dangerous, and
>> due to that there may be overreactions. The attack works when you have
>> compression enabled and data from an adversary can be mixed with
>> sensitive data (e.g. a URL that is provided by an adversary is mixed
>> with secret cookie data in an HTTPS request). Moreover the adversary
>> must be able to invoke multiple trials (e.g. force a user to visit
>> specially crafted URLs again and again - perhaps by using javascript).
>>
>> So currently the threat is mostly on the HTTPS protocol and especially
>> browsers. To sum up.
>>
>> * Who does this attack affect:
>> 1. clients or servers that use compression and provide the ability to
>> an adversary to inject data (multiple times) in their session.
>>
>> * How to mitigate the attack?
>> 1. Do not enable compression (gnutls' doesn't enable it by default)
>> 2. When using compression use the CBC ciphers that include a random
>> padding up to 255 bytes. That would increase the number of trials an
>> attacker needs to perform significantly.
>> 3. Make sure that even if you must mix adversary-controlled data with
>> sensitive data, that the adversary cannot trigger that multiple times.
>>
>> I'll add a recommendation on the web site later today.
>>
>> regards,
>> Nikos
>>
>> [0]. http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
>>
>> _______________________________________________
>> Help-gnutls mailing list
>> Help-gnutls at gnu.org
>> https://lists.gnu.org/mailman/listinfo/help-gnutls

More information about the Gnutls-devel mailing list