CRIME Attack on SSL/TLS

September 10, 2012 by Bruce Morton     No Comments

The security researchers who brought us BEAST now have a new SSL/TLS attack: CRIME. I would like to know what the acronym CRIME stands for, but we’ll probably have to wait until Juliano Rizzo and Thai Duong present their work at Ekoparty Security Conference later this month.

Little information about the attack has been published. The attack exploits an SSL/TLS feature that is used to implement HTTPS and affects all versions of SSL and TLS. The attack is performed by an agent that needs to be loaded on the victim’s browser. The attacker must also be able to sniff the victim’s HTTPS traffic.

The attack was successfully tested on both Mozilla Firefox and Google Chrome browsers. Mozilla and Chrome have already prepared patches, but have not yet been released. My assumption is the security researchers advised all browser manufacturers of the attack and that patches will be prepared for all susceptible.

As a publicly-trusted CA, the good news is that this is not a CA or a certificate attack. It is a SSL/TLS protocol attack that will be mitigated with new software releases. The solution will not impact the SSL certificates that you have purchased from your certificate provider.

We’ll provide more information after Ekoparty.

About

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

Add to the Conversation