More SSL trouble
Researchers Juliano Rizzo and Thai Duong will present a new tool called "CRIME" at the upcoming Ekoparty 2012 conference in 5 days. Their tool takes advantage of a flaw in the SPDY (speedy) TLS compression protocol implementation. It allows an attacker to hijack an encrypted SSL session. It appears that for this attack to work both the website and the browser must support the SPDY protocol. Several widely used websites such as Google, Gmail and Twitter do support the SPDY protocol. Both the Firefox and Chrome browsers also support this protocol. Internet Explorer and Safari does not support SPDY and are not vulnerable.
It is recommended that you disable the use of the SPDY protocol on your HTTPS websites until the problem is addressed.
References:
http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor
http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/
Join me in San Antonio Texas November 27th for SANS 504 Hacker Techniques, Exploits and Incident Response! Register Today!!
Mark Baggett
Twitter: @MarkBaggett
Comments
network.http.spdy.enabled = false
network.http.spdy.enabledv2 = false (present in FF 15)
AndrewB
Sep 13th 2012
1 decade ago
http://news.netcraft.com/archives/2012/05/02/may-2012-web-server-survey.html - "In the May 2012 survey we received responses from 662,959,946 sites ..."
"Tracking of web servers using SPDY, an experimental network protocol intended to decrease web page loading times, has been added to the survey. We found a total of 339 SSL certificates used with SPDY-enabled servers. Usage outside of Google's properties is limited, though a few sites such as humblebundle.com and webtide.com support it."
My calculator doesn't have enough zeroes to the right of the decimal point to calculate the percentage of sites actually using SPDY.
JJ
Sep 14th 2012
1 decade ago