Compression flaw may allow for HTTPS hijacking on some browsers

Rick

Posts: 4,512   +66
Staff

Security researchers have discovered a SSL-based compression flaw which allows hackers to hijack HTTPS-encrypted web sessions. HTTPS, or HTTP Secure, is the same protocol used by online stores, banks and other websites to encrypt the sensitive data transmissions across the net. 

The exploit, dubbed as CRIME or Compression Ratio Info-leak Made Easy, uses an encrypted data stream's own data-compression methods against itself. Check out this article at Ars Technica for a thorough explanation of what researchers discovered.

Compression is essentially a form of a pattern matching -- the feat works by algorithmically finding patterns in information and boiling those patterns down to a smaller but seemingly more random data set. By injecting plain-text transmissions alongside the encrypted ones, clever cryptographers were able to monitor and analyze changes created by compression techniques (I.e. deflate and SPDY), eventually unraveling the cipher.

In order for the exploit to work though, a user's Internet browser must establish a secure connection via TLS compression (deflate) or SPDY (a protocol developed by Google). Most modern browsers support at least one of these technologies but Internet Explorer users will be glad to hear they are safe -- Microsoft's browser has never supported either. Somewhat ironically, this is an example of less being more.

Recent releases of Firefox and Chrome have been patched, but it is unknown if Opera, Safari or other browsers are still susceptible. In particular, mobile browsers are a key concern -- researchers believe it is very likely smartphone browsers remain vulnerable.

Permalink to story.

 
Back