This comes from the same school of "Attacker controlled requests inside of an SSL tunnel to reveal some other portion of the data going over SSL" style attacks, BEAST being the other big example. Many people (including me) *think* this is the new CRIME attack Thai and Juliano have announced [0].
The short of it is: by sending guesses of what you think a session cookie is, you can observe how the data compresses if you can observe packet sizes. Guess all 16-64 possible characters, the single character that compressed the smallest was the correct guess. Move to the next. I've confirmed (outside of SSL) that this theory does work in practice and allows you to guess out a portion of a message (the cookie in this case). Porting it to SSL using RC4 should be easy (no padding); for AES it would be trickier because of the block padding, but if you line it up to a boundary I'm sure it's possible. Thomas Pornin has a good writeup here: http://security.stackexchange.com/a/19914 And some circumstantial evidence that this is CRIME is this commit to chrome[1] by the right person, the fact that Tor is not vulnerable to the attack[2] (it chunks data into 512 byte blocks), the hints given that it affects all versions of TLS and the global warming comment, and the fact that CRIME begins with a C for Compression ;) I have a few random unanswered questions: - When did FF disable this? I went looking in the diffs but couldn't find it =/ - Is there any way to fix this without just wholesale disabling compression? - Does this have implications to SPDY? (Which also compresses) -tom [0] http://www.ekoparty.org//2012/thai-duong.php [1] https://chromiumcodereview.appspot.com/10825183 [2] https://twitter.com/nickm_tor/status/243460419501559808 _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
