Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: More SSL trouble - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More SSL trouble

Researchers Juliano Rizzo and Thai Duong will present a new tool called "CRIME" at the upcoming Ekoparty 2012 conference in 5 days.    Their tool takes advantage of a flaw in the SPDY (speedy) TLS compression protocol implementation.   It allows an attacker to hijack an encrypted SSL session.    It appears that for this attack to work both the website and the browser must support the SPDY protocol.     Several widely used websites such as Google, Gmail and Twitter do support the SPDY protocol.    Both the Firefox and Chrome browsers also support this protocol.    Internet Explorer and Safari does not support SPDY and are not vulnerable.    

It is recommended that you disable the use of the SPDY protocol on your HTTPS websites until the problem is addressed.

References:

http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor

http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

http://threatpost.com/en_us/blogs/new-attack-uses-ssltls-information-leak-hijack-https-sessions-090512

http://www.computerworld.com/s/article/9231013/Security_researchers_to_present_new_39_CRIME_39_attack_against_SSL_TLS

 

Join me in San Antonio Texas November 27th for SANS 504 Hacker Techniques, Exploits and Incident Response!  Register Today!!

Mark Baggett

Twitter: @MarkBaggett

Mark

81 Posts
ISC Handler
To disable SPDY support in Firefox 13 or later (previous versions have it disabled by default), edit the chrome settings:
network.http.spdy.enabled = false
network.http.spdy.enabledv2 = false (present in FF 15)

AndrewB

21 Posts Posts
If it's really SPDY-related, it sounds like over-hyping.

http://news.netcraft.com/archives/2012/05/02/may-2012-web-server-survey.html - "In the May 2012 survey we received responses from 662,959,946 sites ..."

"Tracking of web servers using SPDY, an experimental network protocol intended to decrease web page loading times, has been added to the survey. We found a total of 339 SSL certificates used with SPDY-enabled servers. Usage outside of Google's properties is limited, though a few sites such as humblebundle.com and webtide.com support it."

My calculator doesn't have enough zeroes to the right of the decimal point to calculate the percentage of sites actually using SPDY.
Anonymous
Posts

Sign Up for Free or Log In to start participating in the conversation!