Internet architects mull changes to fight SSL-busting CRIME attacks

ronjor · Oct 18, 2012

by Dan Goodin

Engineers who help oversee Internet standards are proposing changes to long-standing website practices in order to guard against a new attack that exposes user login credentials even when they are transmitted through encrypted channels.

The tentative recommendations are included in a draft document filed earlier this week with the IETF, or Internet Engineering Task Force. It is among the first technical documents to grapple with an attack unveiled last month that allowed white hat hackers to decrypt the contents of encrypted session cookies used to log in to user accounts on Dropbox.com, Github.com, and other sites. (The sites took measures to block the exploit after researchers Juliano Rizzo and Thai Duong gave them advanced notice of their exploit.) Short for Compression Ratio Info-leak Made Easy, CRIME provided a reliable and repeatable means for attackers to defeat the widely used secure sockets layer and transport layer security protocols. Together, they form the basis of virtually all encryption between websites and end users.
Click to expand...

http://arstechnica.com/security/201...l-changes-to-fight-ssl-busting-crime-attacks/

elapsed · Oct 19, 2012

Here's a better idea, tell Google and Mozilla to move their buts and implement TLS 1.2 and then companies can use the usual tactic of marketing TLS 1.2 support on sites as a "bonus" like companies do for green computing. Turning a GOOD thing into a marketing point... is a good thing.

Log in or Sign up

Internet architects mull changes to fight SSL-busting CRIME attacks

ronjor Global Moderator

elapsed Registered Member

Log in or Sign up

Internet architects mull changes to fight SSL-busting CRIME attacks

ronjor Global Moderator

elapsed Registered Member

Useful Searches