Hello, Indeed, compression-based attacks on TLS have been known for a while [1], but it is interesting that this can be exploited at the browser-end.
Best, Alfredo [1] https://www.cosic.esat.kuleuven.be/ecrypt/provpriv2012/abstracts/barghavan.pdf On Thu, Sep 13, 2012 at 1:14 PM, Nikos Mavrogiannopoulos <[email protected]> wrote: > Hello, > If you're not already aware there is a new attack on TLS called > "crime". I was asked by the author of this attack not to disclose any > information, but it seems it is public already [0] so I can comment on > it. That attack takes advantage of compression and by forcing an HTTPS > client to use carefully formatted data it may be able to guess the > contents of other non-controlled by the attacker data, based on the > compressed size. Because there is no formal description of the attack, > nor a precise use-case where the attack is considered dangerous, and > due to that there may be overreactions. The attack works when you have > compression enabled and data from an adversary can be mixed with > sensitive data (e.g. a URL that is provided by an adversary is mixed > with secret cookie data in an HTTPS request). Moreover the adversary > must be able to invoke multiple trials (e.g. force a user to visit > specially crafted URLs again and again - perhaps by using javascript). > > So currently the threat is mostly on the HTTPS protocol and especially > browsers. To sum up. > > * Who does this attack affect: > 1. clients or servers that use compression and provide the ability to > an adversary to inject data (multiple times) in their session. > > * How to mitigate the attack? > 1. Do not enable compression (gnutls' doesn't enable it by default) > 2. When using compression use the CBC ciphers that include a random > padding up to 255 bytes. That would increase the number of trials an > attacker needs to perform significantly. > 3. Make sure that even if you must mix adversary-controlled data with > sensitive data, that the adversary cannot trigger that multiple times. > > I'll add a recommendation on the web site later today. > > regards, > Nikos > > [0]. http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ > > _______________________________________________ > Help-gnutls mailing list > [email protected] > https://lists.gnu.org/mailman/listinfo/help-gnutls _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
