BEAST creators develop new SSL attack

lotuseclat79 · Sep 7, 2012

BEAST creators develop new SSL attack.

Security researchers...are preparing to present a new attack on SSL/TLS at the Ekoparty Security Conference in Argentina later this month, according to Threatpost. The new attack has been given the name CRIME by the researchers.
Click to expand...

-- Tom

lotuseclat79 · Sep 11, 2012

How can you protect yourself from CRIME, BEAST’s successor?

How can you protect yourself from CRIME, BEAST’s successor?.

The post (above link) discusses an excellent hypothetical way to defend against the attack which prompted various modifications (see comments in linked article above) in several products prior to the actual release of the CRIME attack at a conference later this month in Argentina.

-- Tom

EncryptedBytes · Sep 13, 2012

SSL/TLS compression exploit disclosed

(http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor/19914#19914)

This attack is supposed to be presented in 10 days from now, but my guess is that they use compression.

SSL/TLS optionally supports data compression. In the ClientHello message, the client states the list of compression algorithms that it knows of, and the server responds, in the ServerHello, with the compression algorithm that will be used. Compression algorithms are specified by one-byte identifiers, and TLS 1.2 (RFC 5246) defines only the null compression method (i.e. no compression at all). Other documents specify compression methods, in particular RFC 3749 which defines compression method 1, based on DEFLATE, the LZ77-derivative which is at the core of the GZip format and also modern Zip archives. When compression is used, it is applied on all the transferred data, as a long stream. In particular, when used with HTTPS, compression is applied on all the successive HTTP requests in the stream, header included. DEFLATE works by locating repeated subsequences of bytes.
Click to expand...

elapsed · Sep 13, 2012

Here is where I am glad that MS isn't supporting Google's "great" new SPDY protocol as IE is immune to the attack. When it comes to encryption new proposals should be rigorously tested, not rushed out before it's even a standard.

Still annoyed at the lack of pushing TLS 1.2 though... so depressing that still only IE and Opera support it.

lotuseclat79 · Sep 14, 2012

Some thoughts on the CRIME attack.

The above linked post if from the Tor project perspective.

-- Tom

lotuseclat79 · Sep 18, 2012

Many ways to break SSL with CRIME attacks, experts warn.

Despite browser fixes, disabling SSL compression on servers may be best defense.
Click to expand...

-- Tom

lotuseclat79 · Oct 20, 2012

Internet architects mull changes to fight SSL-busting CRIME attacks.

IETF proposes change to long-standing practice of compressing encrypted data.
Click to expand...

-- Tom

Log in or Sign up

BEAST creators develop new SSL attack

lotuseclat79 Registered Member

lotuseclat79 Registered Member

EncryptedBytes Registered Member

elapsed Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

Log in or Sign up

BEAST creators develop new SSL attack

lotuseclat79 Registered Member

lotuseclat79 Registered Member

EncryptedBytes Registered Member

elapsed Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

lotuseclat79 Registered Member

Useful Searches