The security researchers who brought us BEAST now have a new SSL/TLS attack: CRIME. I would like to know what the acronym CRIME stands for, but we’ll probably have to wait until Juliano Rizzo and Thai Duong present their work at Ekoparty Security Conference later this month.
Little information about the attack has been published. The attack exploits an SSL/TLS feature that is used to implement HTTPS and affects all versions of SSL and TLS. The attack is performed by an agent that needs to be loaded on the victim’s browser. The attacker must also be able to sniff the victim’s HTTPS traffic.
The attack was successfully tested on both Mozilla Firefox and Google Chrome browsers. Mozilla and Chrome have already prepared patches, but have not yet been released. My assumption is the security researchers advised all browser manufacturers of the attack and that patches will be prepared for all susceptible.
As a publicly-trusted CA, the good news is that this is not a CA or a certificate attack. It is a SSL/TLS protocol attack that will be mitigated with new software releases. The solution will not impact the SSL certificates that you have purchased from your certificate provider.
We’ll provide more information after Ekoparty.