the "crime" attack on TLS

Alfredo Pironti alfredo.pironti at
Thu Sep 13 14:55:53 CEST 2012


Indeed, compression-based attacks on TLS have been known for a while
[1], but it is interesting that this can be exploited at the



(Sorry, re-posting on gnutls-devel, as the previous address was wrong)

> On Thu, Sep 13, 2012 at 1:14 PM, Nikos Mavrogiannopoulos
> <nmav at> wrote:
>> Hello,
>>  If you're not already aware there is a new attack on TLS called
>> "crime". I was asked by the author of this attack not to disclose any
>> information, but it seems it is public already [0] so I can comment on
>> it. That attack takes advantage of compression and by forcing an HTTPS
>> client to use carefully formatted data it may be able to guess the
>> contents of other non-controlled by the attacker data, based on the
>> compressed size. Because there is no formal description of the attack,
>> nor a precise use-case where the attack is considered dangerous, and
>> due to that there may be overreactions. The attack works when you have
>> compression enabled and data from an adversary can be mixed with
>> sensitive data (e.g. a URL that is provided by an adversary is mixed
>> with secret cookie data in an HTTPS request). Moreover the adversary
>> must be able to invoke multiple trials (e.g. force a user to visit
>> specially crafted URLs again and again - perhaps by using javascript).
>> So currently the threat is mostly on the HTTPS protocol and especially
>> browsers. To sum up.
>> * Who does this attack affect:
>> 1. clients or servers that use compression and provide the ability to
>> an adversary to inject data (multiple times) in their session.
>> * How to mitigate the attack?
>> 1. Do not enable compression (gnutls' doesn't enable it by default)
>> 2. When using compression use the CBC ciphers that include a random
>> padding up to 255 bytes. That would increase the number of trials an
>> attacker needs to perform significantly.
>> 3. Make sure that even if you must mix adversary-controlled data with
>> sensitive data, that the adversary cannot trigger that multiple times.
>> I'll add a recommendation on the web site later today.
>> regards,
>> Nikos
>> [0].
>> _______________________________________________
>> Help-gnutls mailing list
>> Help-gnutls at

More information about the Gnutls-devel mailing list