BEAST developers come up with new SSL/TLS attack
From the security researchers who created and demonstrated the BEAST (Browser Exploit Against SSL/TLS) tool for breaking SSL/TLS encryption comes another attack that exploits a flaw in a feature in all versions of TLS.
Dubbed CRIME by the researchers Juliano Rizzo and Thai Duong, the attack supposedly works similarly to the BEAST attack, and will be presented for the first time to the public during the ekoparty Security conference which is to be held in Argentina later this month.
Without wanting to reveal much about the soon-to be unveiled attack, the researchers shared that the feature in question leaks information that can be used to decrypt user cookies, extract the login information contained in them and hijack their sessions.
“By running JavaScript code in the browser of the victim and sniffing HTTPS traffic, we can decrypt session cookies. We don’t need to use any browser plug-in and we use JavaScript to make the attack faster but in theory we could do it with static HTML,” Rizzo explained to ThreatPost.
This new attack is more effective than the BEAST, as the latter affected only TLS 1.0 and SSL 3.0 and could be foiled by simply switching to other versions of the standard and from using the AES algorithm to employing the RC4 one.
The CRIME, unfortunately, affects all SSL/TLS versions and both Firefox and Chrome are vulnerable to the attack, although the researchers have notified Mozilla and Google about the flaw and patches are expected to be released in the next few weeks.