Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - More SSL trouble InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More SSL trouble

Published: 2012-09-13
Last Updated: 2012-09-13 14:50:56 UTC
by Mark Baggett (Version: 1)
2 comment(s)

Researchers Juliano Rizzo and Thai Duong will present a new tool called "CRIME" at the upcoming Ekoparty 2012 conference in 5 days.    Their tool takes advantage of a flaw in the SPDY (speedy) TLS compression protocol implementation.   It allows an attacker to hijack an encrypted SSL session.    It appears that for this attack to work both the website and the browser must support the SPDY protocol.     Several widely used websites such as Google, Gmail and Twitter do support the SPDY protocol.    Both the Firefox and Chrome browsers also support this protocol.    Internet Explorer and Safari does not support SPDY and are not vulnerable.    

It is recommended that you disable the use of the SPDY protocol on your HTTPS websites until the problem is addressed.

References:

http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor

http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512

http://www.computerworld.com/s/article/9231013/Security_researchers_to_present_new_39_CRIME_39_attack_against_SSL_TLS

 

Join me in San Antonio Texas November 27th for SANS 504 Hacker Techniques, Exploits and Incident Response!  Register Today!!

Mark Baggett

Twitter: @MarkBaggett

2 comment(s)
Diary Archives