CRIME (SSL/TLS) attack

Description

CRIME (Compression Ratio Info-leak Made Easy) is a security exploit targeting secret web cookies transmitted over HTTPS and SPDY connections utilizing data compression. By analyzing the compression ratios, attackers can infer sensitive information, such as authentication cookies, leading to session hijacking and further attacks.

Recommendation

To mitigate CRIME attacks, disable SSL/TLS compression on servers and clients. Implement Perfect Forward Secrecy (PFS) to prevent the decryption of past communications even if the server’s private key is compromised. Additionally, regularly update software and libraries to patch known vulnerabilities.

References

• CVE-2012-4929
• CWE-16
• CWE-310
• OWASP 2021-A2
• OWASP 2021-A5
• OWASP 2021-A6
• Wikipedia: CRIME