Speculation on CRIME

September 12, 2012 by Bruce Morton     No Comments

The SSL industry is waiting for the Ekoparty Security Conference next week to find out more details on the CRIME SSL/TLS attack.

Speculation by SSL/TLS experts? The attack is based on TLS compression. Thomas Pornin made this post on IT Security of his guesses on how compression could be used in an attack.

This also ties in with the reports that only Chrome and Firefox were attacked and will be patched; they the only two browsers that support compression. This may be good news for mitigating the attack as both Chrome and Firefox version updates are now done quite actively.

Again, we’ll keep following the news on CRIME and provide any updates.

About

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

Add to the Conversation