127:, the client sends a list of compression algorithms in its ClientHello message, and the server picks one of them and sends it back in its ServerHello message. The server can only choose a compression method the client has offered, so if the client only offers 'none' (no compression), the data will not be compressed. Similarly, since 'no compression' must be allowed by all TLS clients, a server can always refuse to use compression.
98:
content created by the attacker, as the variable content is altered. When the size of the compressed content is reduced, it can be inferred that it is probable that some part of the injected content matches some part of the source, which includes the secret content that the attacker desires to discover.
97:
while at the same time inducing the browser to make multiple carefully crafted web connections to the target site. The attacker then observes the change in size of the compressed request payload, which contains both the secret cookie that is sent by the browser only to the target site, and variable
122:
CRIME can be defeated by preventing the use of compression, either at the client end, by the browser disabling the compression of SPDY requests, or by the website preventing the use of data compression on such transactions using the protocol negotiation features of the TLS protocol. As detailed in
113:
security conference. Rizzo and Duong presented CRIME as a general attack that works effectively against a large number of protocols, including but not limited to SPDY (which always compresses request headers), TLS (which may compress records) and HTTP (which may compress responses).
154:
Note that as of
December 2013 the CRIME exploit against HTTP compression has not been mitigated at all. Rizzo and Duong have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined.
177:(short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext). It uncovers HTTPS secrets by attacking the inbuilt HTTP data compression used by webservers to reduce network traffic.
102:
techniques can then be used to home in on the true secret content in a relatively small number of probe attempts that is a small multiple of the number of secret bytes to be recovered.
727:
603:
105:
The CRIME exploit was hypothesized by Adam
Langley, and first demonstrated by the security researchers Juliano Rizzo and Thai Duong, who also created the
548:
554:
197:
470:
135:
As of
September 2012, the CRIME exploit against SPDY and TLS-level compression was described as mitigated in the then-latest versions of the
698:
542:
259:
999:
820:
636:
1044:
1034:
742:
530:
501:
963:
275:
655:
1024:
968:
565:
343:
173:
conference, researchers Gluck, Harris and Prado announced a variant of the CRIME exploit against HTTP compression called
780:
750:
649:
99:
760:
630:
1039:
941:
704:
86:
1029:
800:
732:
671:
174:
164:
921:
884:
851:
524:
510:
106:
682:
666:
571:
78:
661:
625:
536:
38:
24:
320:
988:
889:
609:
494:
393:
54:
447:
298:
170:
82:
905:
620:
222:
198:"CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions"
61:
on an authenticated web session, allowing the launching of further attacks. CRIME was assigned
856:
582:
255:
226:
58:
421:
861:
677:
615:
487:
374:
247:
62:
367:"The Transport Layer Security (TLS) Protocol Version 1.2 - Appendix A.4.1 (Hello messages)"
241:
587:
406:
147:
web-server was not vulnerable to CRIME since 1.0.9/1.1.6 (October/November 2011) using
1018:
642:
577:
136:
366:
936:
710:
85:
through data compression, similar to that described in 2002 by the cryptographer
66:
151:
1.0.0+, and since 1.2.2/1.3.2 (June / July 2012) using all versions of OpenSSL.
94:
983:
90:
50:
251:
978:
790:
755:
143:
web browsers. Some websites have applied countermeasures at their end. The
471:"Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages"
795:
785:
770:
110:
49:
protocols that utilize compression, which can leak the content of secret
321:"Crack in Internet's foundation of trust allows HTTPS session hijacking"
835:
830:
815:
805:
246:. Lecture Notes in Computer Science. Vol. 2365. pp. 263–276.
240:
Kelsey, J. (2002). "Compression and
Information Leakage of Plaintext".
148:
140:
993:
946:
926:
825:
810:
775:
378:
973:
765:
560:
144:
89:. It relies on the attacker being able to observe the size of the
42:
20:
370:
109:
exploit. The exploit was due to be revealed in full at the 2012
46:
483:
479:
422:"The perfect CRIME? New HTTPS web hijack attack explained"
125:
The
Transport Layer Security (TLS) Protocol Version 1.2
299:"Re: Compression contexts and privacy considerations"
956:
914:
898:
877:
870:
844:
741:
720:
691:
596:
517:
314:
312:
191:
189:
77:The vulnerability exploited is a combination of
525:Transport Layer Security / Secure Sockets Layer
728:Export of cryptography from the United States
495:
53:. When used to recover the content of secret
8:
604:Automated Certificate Management Environment
874:
549:DNS-based Authentication of Named Entities
502:
488:
480:
276:"CRIME - How to beat the BEAST successor?"
555:DNS Certification Authority Authorization
365:Dierks, T.; Resorla, E. (August 2008).
185:
699:Domain Name System Security Extensions
543:Application-Layer Protocol Negotiation
448:"Nginx mailing list: crime tls attack"
402:
391:
278:. StackExchange.com. September 8, 2012
196:Fisher, Dennis (September 13, 2012).
35:Compression Ratio Info-leak Made Easy
7:
217:
215:
446:Sysoev, Igor (September 26, 2012).
420:Leyden, John (September 14, 2012).
57:, it allows an attacker to perform
637:Online Certificate Status Protocol
319:Goodin, Dan (September 13, 2012).
14:
531:Datagram Transport Layer Security
297:Langley, Adam (August 16, 2011).
964:Certificate authority compromise
969:Random number generator attacks
656:Extended Validation Certificate
566:HTTP Strict Transport Security
469:Goodin, Dan (August 1, 2013).
1:
342:Rizzo, Juliano; Duong, Thai.
650:Domain-validated certificate
16:HTTPS security vulernability
631:Certificate revocation list
19:For criminal activity, see
1061:
705:Internet Protocol Security
518:Protocols and technologies
162:
18:
733:Server-Gated Cryptography
672:Public key infrastructure
597:Public-key infrastructure
165:BREACH (security exploit)
1045:Transport Layer Security
1035:Chosen-plaintext attacks
885:Man-in-the-middle attack
852:Certificate Transparency
354:– via Google Docs.
252:10.1007/3-540-45661-9_21
243:Fast Software Encryption
996:(in regards to TLS 1.0)
949:(in regards to SSL 3.0)
683:Self-signed certificate
667:Public-key cryptography
588:Perfect forward secrecy
572:HTTP Public Key Pinning
79:chosen plaintext attack
1000:Kazakhstan MITM attack
662:Public key certificate
626:Certificate revocation
537:Server Name Indication
401:Cite journal requires
55:authentication cookies
39:security vulnerability
25:Crime (disambiguation)
23:. For other uses, see
1025:Cryptographic attacks
989:Lucky Thirteen attack
890:Padding oracle attack
610:Certificate authority
169:At the August 2013
83:information leakage
906:Bar mitzvah attack
621:Certificate policy
344:"The CRIME attack"
100:Divide and conquer
1040:2012 in computing
1012:
1011:
1008:
1007:
583:Opportunistic TLS
261:978-3-540-44009-3
227:Mitre Corporation
59:session hijacking
1052:
1030:Data compression
875:
862:HTTPS Everywhere
678:Root certificate
616:CA/Browser Forum
504:
497:
490:
481:
475:
474:
466:
460:
459:
457:
455:
443:
437:
436:
434:
432:
417:
411:
410:
404:
399:
397:
389:
387:
385:
379:10.17487/RFC5246
362:
356:
355:
353:
351:
339:
333:
332:
330:
328:
316:
307:
306:
294:
288:
287:
285:
283:
272:
266:
265:
237:
231:
230:
219:
210:
209:
207:
205:
193:
81:and inadvertent
1060:
1059:
1055:
1054:
1053:
1051:
1050:
1049:
1015:
1014:
1013:
1004:
952:
910:
894:
871:Vulnerabilities
866:
840:
743:Implementations
737:
716:
687:
592:
513:
508:
478:
468:
467:
463:
453:
451:
445:
444:
440:
430:
428:
419:
418:
414:
400:
390:
383:
381:
364:
363:
359:
349:
347:
341:
340:
336:
326:
324:
318:
317:
310:
305:(Mailing list).
296:
295:
291:
281:
279:
274:
273:
269:
262:
239:
238:
234:
223:"CVE-2012-4929"
221:
220:
213:
203:
201:
195:
194:
187:
183:
167:
161:
133:
120:
75:
28:
17:
12:
11:
5:
1058:
1056:
1048:
1047:
1042:
1037:
1032:
1027:
1017:
1016:
1010:
1009:
1006:
1005:
1003:
1002:
997:
991:
986:
981:
976:
971:
966:
960:
958:
957:Implementation
954:
953:
951:
950:
944:
939:
934:
929:
924:
918:
916:
912:
911:
909:
908:
902:
900:
896:
895:
893:
892:
887:
881:
879:
872:
868:
867:
865:
864:
859:
854:
848:
846:
842:
841:
839:
838:
833:
828:
823:
818:
813:
808:
803:
798:
793:
788:
783:
778:
773:
768:
763:
758:
753:
747:
745:
739:
738:
736:
735:
730:
724:
722:
718:
717:
715:
714:
708:
702:
695:
693:
689:
688:
686:
685:
680:
675:
669:
664:
659:
653:
647:
646:
645:
640:
634:
623:
618:
613:
607:
600:
598:
594:
593:
591:
590:
585:
580:
575:
569:
563:
558:
552:
546:
540:
534:
528:
521:
519:
515:
514:
509:
507:
506:
499:
492:
484:
477:
476:
461:
438:
412:
403:|journal=
357:
334:
323:. Ars Technica
308:
289:
267:
260:
232:
211:
184:
182:
179:
163:Main article:
160:
157:
132:
129:
119:
116:
74:
71:
15:
13:
10:
9:
6:
4:
3:
2:
1057:
1046:
1043:
1041:
1038:
1036:
1033:
1031:
1028:
1026:
1023:
1022:
1020:
1001:
998:
995:
992:
990:
987:
985:
982:
980:
977:
975:
972:
970:
967:
965:
962:
961:
959:
955:
948:
945:
943:
940:
938:
935:
933:
930:
928:
925:
923:
920:
919:
917:
913:
907:
904:
903:
901:
897:
891:
888:
886:
883:
882:
880:
876:
873:
869:
863:
860:
858:
855:
853:
850:
849:
847:
843:
837:
834:
832:
829:
827:
824:
822:
819:
817:
814:
812:
809:
807:
804:
802:
799:
797:
794:
792:
789:
787:
784:
782:
779:
777:
774:
772:
769:
767:
764:
762:
759:
757:
754:
752:
751:Bouncy Castle
749:
748:
746:
744:
740:
734:
731:
729:
726:
725:
723:
719:
712:
709:
706:
703:
700:
697:
696:
694:
690:
684:
681:
679:
676:
673:
670:
668:
665:
663:
660:
657:
654:
651:
648:
644:
643:OCSP stapling
641:
638:
635:
632:
629:
628:
627:
624:
622:
619:
617:
614:
611:
608:
605:
602:
601:
599:
595:
589:
586:
584:
581:
579:
578:OCSP stapling
576:
573:
570:
567:
564:
562:
559:
556:
553:
550:
547:
544:
541:
538:
535:
532:
529:
526:
523:
522:
520:
516:
512:
505:
500:
498:
493:
491:
486:
485:
482:
472:
465:
462:
449:
442:
439:
431:September 16,
427:
423:
416:
413:
408:
395:
380:
376:
372:
368:
361:
358:
350:September 21,
345:
338:
335:
327:September 13,
322:
315:
313:
309:
304:
300:
293:
290:
282:September 13,
277:
271:
268:
263:
257:
253:
249:
245:
244:
236:
233:
228:
224:
218:
216:
212:
204:September 13,
199:
192:
190:
186:
180:
178:
176:
172:
166:
158:
156:
152:
150:
146:
142:
138:
130:
128:
126:
117:
115:
112:
108:
103:
101:
96:
92:
88:
84:
80:
72:
70:
68:
64:
60:
56:
52:
48:
44:
40:
36:
32:
26:
22:
931:
711:Secure Shell
464:
452:. Retrieved
441:
429:. Retrieved
426:The Register
425:
415:
394:cite journal
382:. Retrieved
360:
348:. Retrieved
337:
325:. Retrieved
302:
292:
280:. Retrieved
270:
242:
235:
202:. Retrieved
200:. ThreatPost
168:
153:
134:
124:
121:
104:
93:sent by the
76:
34:
30:
29:
857:Convergence
511:TLS and SSL
450:. nginx.org
87:John Kelsey
51:web cookies
1019:Categories
984:Heartbleed
346:. Ekoparty
181:References
131:Mitigation
118:Prevention
91:ciphertext
979:goto fail
791:MatrixSSL
756:BoringSSL
527:(TLS/SSL)
171:Black Hat
67:2012-4929
915:Protocol
845:Notaries
821:SChannel
796:mbed TLS
786:LibreSSL
771:cryptlib
701:(DNSSEC)
692:See also
454:July 11,
384:July 10,
303:spdy-dev
111:ekoparty
836:wolfSSL
831:stunnel
816:s2n-tls
806:OpenSSL
721:History
707:(IPsec)
149:OpenSSL
141:Firefox
95:browser
73:Details
37:) is a
994:POODLE
947:POODLE
942:Logjam
927:BREACH
899:Cipher
878:Theory
826:SSLeay
811:Rustls
776:GnuTLS
639:(OCSP)
606:(ACME)
574:(HPKP)
568:(HSTS)
551:(DANE)
545:(ALPN)
533:(DTLS)
258:
175:BREACH
159:BREACH
137:Chrome
974:FREAK
937:DROWN
932:CRIME
922:BEAST
766:BSAFE
761:Botan
713:(SSH)
674:(PKI)
633:(CRL)
561:HTTPS
557:(CAA)
539:(SNI)
145:nginx
107:BEAST
43:HTTPS
31:CRIME
21:Crime
781:JSSE
658:(EV)
652:(DV)
612:(CA)
456:2013
433:2012
407:help
386:2013
371:IETF
352:2012
329:2012
284:2012
256:ISBN
206:2012
139:and
47:SPDY
45:and
801:NSS
375:doi
248:doi
63:CVE
41:in
1021::
424:.
398::
396:}}
392:{{
373:.
369:.
311:^
301:.
254:.
225:.
214:^
188:^
69:.
503:e
496:t
489:v
473:.
458:.
435:.
409:)
405:(
388:.
377::
331:.
286:.
264:.
250::
229:.
208:.
65:-
33:(
27:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.