Stopping CRIME Attacks

Bruce Morton

This article by Dan Goodin appears to cover the most facts about the CRIME attack on SSL/TLS. It answers my first question about what the acronym means; CRIME is short for “Compression Ratio Info-Leak Made Easy.”

It also confirms the attack is performed when the communication uses TLS compression. My understanding is that TLS compression is used in SPDY, which is an open networking protocol used by both Google and Twitter.

There is good news. Microsoft Internet Explorer, Google Chrome and Mozilla Firefox are believed to be immune from the attack as IE never supported SPDY, and Chrome and Firefox have been patched. There may be issues with mobile browsers, but that is still to be confirmed.

The CRIME attack will only work when a vulnerable browser or application is connected to a website that supports TLS compression or SPDY. So, to protect your users, you should disable SPDY or TLS compression from your website.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation