Tag Archives: TLS

Lucky Thirteen TLS Attack

February 5, 2013 by Bruce Morton     No Comments

Nadhem AlFardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London, announced a new TLS/DTLS attack called Lucky Thirteen.

Summarization of CRIME Attack on SSL

October 2, 2012 by Bruce Morton     No Comments

I’ve written a few blogs on CRIME, but now that Juliano Rizzo and Thai Duong have presented CRIME at Ekoparty 2012, I thought a summary is due. CRIME is short for “Compression Ratio Info-Leak Made Easy.” In their presentation, Rizzo and Duong reminded us that HTTPS provides confidentiality, integrity and authenticity; however, CRIME decrypts portions [Read More...]

Filed Under: Secure Browsing, SSL Tagged With: CRIME, DEFLATE, encryption

Testing Your SSL Server for CRIME

September 17, 2012 by Bruce Morton     No Comments

We still have to wait for later this week when Juliano Rizzo and Thai Duong will present their CRIME SSL/TLS attack at Ekoparty Security Conference. Regardless, we now know that the attack is based on the implementation of TLS compression or SPDY (pronounced “speedy”). CRIME uses the vulnerability that there is information leakage when data [Read More...]

Stopping CRIME Attacks

September 13, 2012 by Bruce Morton     No Comments

This article by Dan Goodin appears to cover the most facts about the CRIME attack on SSL/TLS. It answers my first question about what the acronym means; CRIME is short for “Compression Ratio Info-Leak Made Easy.” It also confirms the attack is performed when the communication uses TLS compression. My understanding is that TLS compression [Read More...]

Speculation on CRIME

September 12, 2012 by Bruce Morton     No Comments

The SSL industry is waiting for the Ekoparty Security Conference next week to find out more details on the CRIME SSL/TLS attack. Speculation by SSL/TLS experts? The attack is based on TLS compression. Thomas Pornin made this post on IT Security of his guesses on how compression could be used in an attack. This also [Read More...]


September 10, 2012 by Bruce Morton     No Comments

The security researchers who brought us BEAST now have a new SSL/TLS attack: CRIME. I would like to know what the acronym CRIME stands for, but we’ll probably have to wait until Juliano Rizzo and Thai Duong present their work at Ekoparty Security Conference later this month. Little information about the attack has been published. [Read More...]

Taming the BEAST

October 18, 2011 by Bruce Morton     No Comments

The BEAST’s reign of terror may soon be over. The more this topic is discussed, the less vulnerable we appear to be. Adrian Dimcev states in his blog, “Although the attack itself is pretty neat and the demo looks scary, its practicality is very low; the average user would probably not need to worry about.” [Read More...]

Filed Under: SSL Deployment Tagged With: RC4, SSL, TLS

BEAST: Attacking SSL/TLS

October 6, 2011 by Bruce Morton     1 Comment

In the wake of the DigiNotar comprise comes BEAST, the latest attack on the SSL/TLS protocol — specifically SSL 3.0 (1996) and TLS 1.0 (1999). The recent attacks on certification authorities (CA) such as Comodo, StartCom, DigiNotar and GlobalSign were attempts to get the CAs to issue fraudulent SSL certificates. BEAST is not used to [Read More...]

Filed Under: Secure Browsing, SSL, SSL Deployment Tagged With: SSL, TLS

Is it SSL, TLS or HTTPS?

May 12, 2011 by Bruce Morton     No Comments

Throughout this blog I appear to use (or misuse) the terms SSL, TLS and HTTPS interchangeably. From time to time I catch myself and say, “Which one should I be using?” Frankly, my default is to use SSL. When I reference an article or site, I do tend to side with the term it prefers. [Read More...]

Filed Under: General, Technical Tagged With: SSL, TLS

Google is speeding up SSL

December 9, 2010 by Bruce Morton     No Comments

Everyone loves SSL, also known as Transport Layer Security (TLS), right? Well, the good people at Google have decided to make it even better by speeding it up with a feature called TLS False Start. Setting up an SSL session requires an initial handshake, which is a series of back-and-forth messages between the Web server [Read More...]

Filed Under: Secure Browsing, Technical Tagged With: False Start, Performance, SSL