CRIME (SSL/TLS) attack
Impact: Low
Description
CRIME (Compression Ratio Info-leak Made Easy) is a security exploit targeting secret web cookies transmitted over HTTPS and SPDY connections utilizing data compression. By analyzing the compression ratios, attackers can infer sensitive information, such as authentication cookies, leading to session hijacking and further attacks.
Recommendation
To mitigate CRIME attacks, disable SSL/TLS compression on servers and clients. Implement Perfect Forward Secrecy (PFS) to prevent the decryption of past communications even if the server’s private key is compromised. Additionally, regularly update software and libraries to patch known vulnerabilities.
References
👉 You might also like:
CRIME (SPDY) attack - CVE-2012-4930
BREACH attack - CVE-2013-3587
The POODLE attack - CVE-2014-3566
Secure Renegotiation is not supported - CVE-2009-3555
Last updated on May 13, 2024