Vulnerabilities/

CRIME (SSL/TLS) attack

Severity:
Low

Description

CRIME (Compression Ratio Info-leak Made Easy) is a security exploit targeting secret web cookies transmitted over HTTPS and SPDY connections utilizing data compression. By analyzing the compression ratios, attackers can infer sensitive information, such as authentication cookies, leading to session hijacking and further attacks.

Recommendation

To mitigate CRIME attacks, disable SSL/TLS compression on servers and clients. Implement Perfect Forward Secrecy (PFS) to prevent the decryption of past communications even if the server’s private key is compromised. Additionally, regularly update software and libraries to patch known vulnerabilities.

References

Related Issues

Tags:
BREACH
CRIME
SSL/TLS
Encryption
Server Misconfiguration
Anything's wrong? Let us know Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue

Download