More SSL trouble

Published: 2012-09-13
Last Updated: 2012-09-13 14:50:56 UTC
by Mark Baggett (Version: 1)
2 comment(s)

Researchers Juliano Rizzo and Thai Duong will present a new tool called "CRIME" at the upcoming Ekoparty 2012 conference in 5 days.    Their tool takes advantage of a flaw in the SPDY (speedy) TLS compression protocol implementation.   It allows an attacker to hijack an encrypted SSL session.    It appears that for this attack to work both the website and the browser must support the SPDY protocol.     Several widely used websites such as Google, Gmail and Twitter do support the SPDY protocol.    Both the Firefox and Chrome browsers also support this protocol.    Internet Explorer and Safari does not support SPDY and are not vulnerable.    

It is recommended that you disable the use of the SPDY protocol on your HTTPS websites until the problem is addressed.



Join me in San Antonio Texas November 27th for SANS 504 Hacker Techniques, Exploits and Incident Response!  Register Today!!

Mark Baggett

Twitter: @MarkBaggett

2 comment(s)
Diary Archives