{"id":7819,"date":"2012-10-21T19:59:49","date_gmt":"2012-10-22T00:59:49","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=7819"},"modified":"2012-10-21T19:59:49","modified_gmt":"2012-10-22T00:59:49","slug":"crack-in-internets-foundation-of-trust-allows-https-session-hijacking","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=7819","title":{"rendered":"Crack in Internet\u2019s foundation of trust allows HTTPS session hijacking"},"content":{"rendered":"<blockquote><p>The technique exploits web sessions protected by the Secure Sockets Layer and Transport Layer Security protocols <strong>when they use one of two data-compression schemes designed to reduce network congestion<\/strong> or the time it takes for webpages to load. Short for Compression Ratio Info-leak Made Easy, CRIME works only when both the browser and server support <a href=\"https:\/\/www.ietf.org\/rfc\/rfc3749.txt\">TLS compression<\/a> or <a href=\"http:\/\/www.chromium.org\/spdy\">SPDY<\/a>, an open networking protocol used by both Google and Twitter. Microsoft&#8217;s Internet Explorer, Google&#8217;s Chrome and Mozilla&#8217;s Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable.<\/p><\/blockquote>\n<p>via <a href=\"http:\/\/arstechnica.com\/security\/2012\/09\/crime-hijacks-https-sessions\/\">Crack in Internet\u2019s foundation of trust allows HTTPS session hijacking | Ars Technica<\/a>.<\/p>\n<blockquote><p>A side effect of compression, security experts have long known, is that it leaks clues about the encrypted contents. That means it provides a &#8220;side channel&#8221; to adversaries who have the ability to monitor the data. A <a href=\"http:\/\/www.iacr.org\/cryptodb\/archive\/2002\/FSE\/3091\/3091.pdf\">research paper published in 2002<\/a> by John Kelsey looks eerily similar to CRIME, but only in retrospect.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>The technique exploits web sessions protected by the Secure Sockets Layer and Transport Layer Security protocols when they use one of two data-compression schemes designed to reduce network congestion or the time it takes for webpages to load. Short for &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=7819\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[110],"tags":[935,338,698,312],"class_list":["post-7819","post","type-post","status-publish","format-standard","hentry","category-networking","tag-compression","tag-encryption","tag-security-research","tag-ssltls"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/7819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7819"}],"version-history":[{"count":2,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/7819\/revisions"}],"predecessor-version":[{"id":7831,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/7819\/revisions\/7831"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7819"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}