Description
The CRIME (Compression Ratio Info-leak Made Easy) attack targets the SPDY protocol versions 3 and earlier, used in browsers like Mozilla Firefox and Google Chrome. It exploits TLS encryption of compressed data without adequately hiding the length of unencrypted data. By observing length differences, attackers can infer plaintext HTTP headers, potentially leading to session hijacking.
Recommendation
To mitigate CRIME attacks in SPDY, disable SPDY compression or switch to an HTTP/2.0 profile. Implement TLS encryption with Perfect Forward Secrecy (PFS) to prevent decryption of past communications. Regularly update browsers and server software to patch vulnerabilities.
References
- Wikipedia: CRIME
- Wikipedia: Man-in-the-middle attack
- CVE-2012-4930
- CWE-16
- CWE-310
- CAPEC-310
- OWASP 2021-A2
- OWASP 2021-A5
- OWASP 2021-A6