CRIME attack

E737308

compression-based attack cryptographic attack side-channel attack

CRIME attack is a cryptographic side-channel attack that exploits compression-based information leakage in TLS/SSL to recover sensitive data such as session cookies.

Try in SPARQL Jump to: Statements Referenced by

Statements (45)

Predicate	Object
instanceOf	compression-based attack ⓘ cryptographic attack ⓘ side-channel attack ⓘ
abbreviation	CRIME ⓘ
affects	HTTPS connections using TLS compression ⓘ servers with TLS compression enabled ⓘ web browsers supporting TLS compression ⓘ
attackType	passive traffic observation with active probing ⓘ
attackVector	chosen-plaintext attack ⓘ
canRecover	CSRF tokens ⓘ authentication tokens ⓘ session cookies ⓘ
category	transport layer security vulnerability ⓘ web security vulnerability ⓘ
CVEReference	CVE-2012-4929 ⓘ
disclosedAt	Ekoparty Security Conference 2012 NERFINISHED ⓘ
disclosureYear	2012 ⓘ
discoveredBy	Juliano Rizzo NERFINISHED ⓘ Thai Duong NERFINISHED ⓘ
environment	encrypted HTTP over TLS ⓘ
exploits	SPDY header compression ⓘ TLS-level compression ⓘ compression-based information leakage ⓘ
hasFullName	Compression Ratio Info-leak Made Easy NERFINISHED ⓘ
impact	confidentiality breach ⓘ
influenced	deprecation of TLS-level compression in modern browsers ⓘ security recommendations for TLS configuration ⓘ
leaks	information via compressed ciphertext length ⓘ
mitigation	disabling SPDY header compression for sensitive data ⓘ disabling TLS compression ⓘ using HTTP-only secure cookies with additional defenses ⓘ
notMitigatedBy	using strong ciphers alone ⓘ
primaryGoal	recovery of secret data from encrypted connections ⓘ session hijacking ⓘ
relatedAttack	BREACH attack ⓘ HEIST attack ⓘ TIME attack ⓘ
requires	ability to inject data into victim’s requests ⓘ network attacker capable of intercepting TLS traffic ⓘ
status	largely mitigated in modern browsers and servers by disabling compression ⓘ
targetsComponent	application-layer secrets embedded in compressed streams ⓘ
targetsProtocol	SPDY NERFINISHED ⓘ SSL NERFINISHED ⓘ TLS NERFINISHED ⓘ
usesProperty	correlation between plaintext similarity and compressed size ⓘ

Referenced by (1)

Full triples — surface form annotated when it differs from this entity's canonical label.

BEAST attack → relatedTo → CRIME attack ⓘ