Tuesday, September 11, 2012

CRIME : New SSL/TLS attack for Hijacking HTTPS Sessions | Sedulity Groups

The new attack has been given the name CRIME by the researchers. The CRIME attack is based on a weak spot in a special feature in TLS 1.0, but exactly which that feature is has not been revealed by the researchers. They will say that all versions of TLS/ SSL including TLS 1.2, on which the BEAST attack did not work are vulnerable.
Once they had the cookie, Rizzo and Duong could return to whatever site the user was visiting and log in using her credentialsHTTPS should prevent this type of session hijacking because it encrypts session cookies while in transit or when stored in the browser. But the new attack, devised by security researchers Juliano Rizzo and Thai Duong, is able to decrypt them.

The CRIME attack code, known as an agent, needs to be loaded inside the victim's browser. This can be done either by tricking the victim into visiting a rogue website or, if the attacker has control over the victim's network, by injecting the attack code into an existing HTTP connection. CRIME doesn't require browser plug-ins to work; JavaScript was used to make it faster, but it could also be implemented without it, Rizzo said.

The attacker must also be able to sniff the victim's HTTPS traffic. This can be done on open wireless networks; on local area networks (LANs), by using techniques such as ARP spoofing; or by gaining control of the victim's home router through a vulnerability or default passwordCRIME was tested successfully with Mozilla Firefox and Google Chrome.

No comments:

Post a Comment