CRIME (security exploit)
Compression Ratio Info-leak Made Easy (CRIME) is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks.
The vulnerability exploited is a combination of plaintext injection and inadvertent information leakage through data compression similar to that described in 2002 by the cryptographer John Kelsey. It relies on the attacker being able to observe the size of the ciphertext sent by the browser while at the same time inducing the browser to make multiple carefully crafted web connections to the target site. The attacker then observes the change in size of the compressed request payload, which contains both the secret cookie that is sent by the browser only to the target site, and variable content created by the attacker, as the variable content is altered. When the size of the compressed content is reduced, it can be inferred that it is probable that some part of the injected content matches some part of the source, which includes the secret content that the attacker desires to discover. Divide and conquer techniques can then be used to home in on the true secret content in a relatively small number of probe attempts that is a small multiple of the number of secret bytes to be recovered.
The CRIME exploit was created by the security researchers Juliano Rizzo and Thai Duong, who also created the BEAST exploit. The exploit was due to be revealed in full at the 2012 ekoparty security conference.
CRIME can be defeated by preventing the use of compression, either at the client end, by the browser disabling the compression of HTTPS requests, or by the website preventing the use of data compression on such transactions using the protocol negotiation features of the TLS protocol. As detailed in The Transport Layer Security (TLS) Protocol Version 1.2, the client sends a list of compression algorithms in its ClientHello message, and the server picks one of them and sends it back in its ServerHello message. The server can only choose a compression method the client has offered, so if the client only offers 'none' (no compression), the data will not be compressed. Similarly, since 'no compression' must be allowed by all TLS clients, a server can always refuse to use compression.
CRIME may also be defeated on the client side by placing restrictions on cross-site requests, known as cross-site request forgery (CSRF) protection. The "CsFire" extension for Mozilla Firefox strips authentication and cookies from cross-site requests, while the "RequestPolicy" extension completely blocks cross-site requests by default. However, these extensions interfere with the normal operation of many websites, so the user must set up and maintain whitelists of unrestricted requests.
As of September 2012[update], the CRIME exploit was described as mitigated in the then-latest versions of the Chrome and Firefox web browsers, and Microsoft has confirmed that their Internet Explorer browser was not vulnerable to the exploit. Some websites have applied countermeasures at their end. The nginx web-server was not vulnerable to CRIME since 1.0.9/1.1.6 (October/November 2011) using OpenSSL 1.0.0+, and since 1.2.2/1.3.2 (June / July 2012) using all versions of OpenSSL.
At the August 2013 Black Hat conference, researchers Gluck, Harris and Prado announced an extension of the general approach of the CRIME exploit called BREACH (short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext). It uncovers HTTPS secrets by attacking the inbuilt HTTP data compression used by webservers to reduce network traffic, which works independently of whether TLS compression is enabled, making it completely resistant to the standard mitigation for the CRIME exploit of turning off TLS compression.
- Goodin, Dan (September 13, 2012). "Crack in Internet's foundation of trust allows HTTPS session hijacking". Ars Technica. Retrieved September 13, 2012.
- Fisher, Dennis (September 13, 2012). "CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions". ThreatPost. Retrieved September 13, 2012.
- Kelsey, J. (2002). "Compression and Information Leakage of Plaintext". Fast Software Encryption. Lecture Notes in Computer Science 2365. p. 263. doi:10.1007/3-540-45661-9_21. ISBN 978-3-540-44009-3.
- "CRIME - How to beat the BEAST successor?". StackExchange.com. September 8, 2012. Retrieved September 13, 2012.
- Rizzo, Juliano; Duong, Thai. "The CRIME attack". Ekoparty. Retrieved September 21, 2012 – via Google Docs.
- Dierks, T.; Resorla, E. (August 2008). "The Transport Layer Security (TLS) Protocol Version 1.2 - Appendix A.4.1 (Hello messages)". IETF. Retrieved July 10, 2013.
- Ristic, Ivan (August 7, 2013). "Defending against the BREACH Attack". Qualys. Retrieved August 12, 2013.
- Leyden, John (September 14, 2012). "The perfect CRIME? New HTTPS web hijack attack explained". The Register. Retrieved September 16, 2012.
- Sysoev, Igor (September 26, 2012). "Nginx mailing list: crime tls attack". nginx.org. Retrieved July 11, 2013.
- Goodin, Dan (August 1, 2013). "Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages".