Researchers have identified a security weakness that allows them to hijack web browser sessions even when they're protected by the HTTPS encryption that banks and e-commerce sites use to prevent snooping on sensitive transactions.
The technique exploits web sessions protected by the Secure Sockets Layer and Transport Layer Security protocols when they use one of two data-compression schemes designed to reduce network congestion or the time it takes for webpages to load. Short for Compression Ratio Info-leak Made Easy, CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable.
CRIME is the latest black eye for the widely used encryption protocols, which act as the Internet's foundation of trust by encrypting traffic that flows over open networks and cryptographically proving websites such as Gmail are really operated by Google rather than criminal hackers or state-sponsored spies. The specter of a new attack that could subvert one of the only widely available protections preventing the interception of sensitive e-mails and web transactions, follows revelations that both Iran and China have actively worked to defeat it so they could spy on its citizens.
"The CRIME attack is the nation-state attack," Matthew Green, a professor specializing in cryptography at Johns Hopkins University, told Ars. "It's not something that some hackers are going to do when you're sitting in Starbucks. It's really something that Iran is going to do to try to find dissidents or China is going to do for the same reason. And it's a big deal because of that, especially if Google and Twitter are the ones who are vulnerable."
Representatives from Google, Mozilla, and Microsoft said their companies' browsers are no longer vulnerable to CRIME attacks. Both Chrome and Firefox were susceptible until recently. Google and Mozilla released patches after the weaknesses were privately reported by Juliano Rizzo (@julianor) and Thai Duong, the researchers who devised the CRIME exploits. Internet Explorer was never vulnerable because it never supported SPDY (pronounced "speedy") or the TLS compression scheme known as Deflate.
That still leaves open the possibility that a raft of smaller browsers are susceptible. This webpage maintained by self-described "Web tinkerer" and Adobe employee Alexis Deveria says that SPDY is supported in beta versions of Opera and production versions of both Firefox and Chrome for Android, as well as the Android browser.
Apple's Safari browser doesn't support SPDY, but its use of compression is unknown. A representative of Opera said there's no support for compression in the browser and SPDY is available only in beta versions. The status of TLS compression in smaller browsers also remained unknown at time of writing. Rizzo told Ars that encryption schemes used in a variety of chat applications, virtual private networks, and other software may also be vulnerable.
Even when a browser is vulnerable, an HTTPS session can only be hijacked when one of those browsers is used to connect to a site that supports SPDY or TLS compression. The Qualys SSL Labs page, which tracks the quality of sites that offer HTTPS protection, shows that services offered by Google and Twitter support SPDY. Ivan Ristic, director of engineering at Qualys, told Ars that 42 percent of sites surveyed by his service support TLS compression. A demonstration video taken by Rizzo and Duong on Wednesday shows Github.com, Dropbox.com, and Stripe.com, when visited with a then-patched version of Chrome, succumbing to the CRIME attack, although all three of those sites had disabled compression at time of writing, meaning they are no longer vulnerable.
Both the GnuTLS and OpenSSL TLS implementations for clients and servers respectively support TLS, making it easy for developers and engineers to fold it into web servers.
The chosen one
Rizzo and Duong are the architects of a separate attack from last year that also defeated TLS protection. It was dubbed BEAST and was short for Browser Exploit Against SSL/TLS). Like that attack, compression-based exploits wield what cryptographers call a chosen plaintext attack on an encrypted session. The technique mixes clear-text data under the control of the attacker with the encrypted payload being targeted. By modifying the clear-text payload hundreds or thousands of times and watching how each one interacts with the encrypted data, an attacker can deduce its contents, usually character by character.
Such attacks can be particularly useful against SSL, since the beginning of each web HTML request contains an authentication cookie with a secret key (which may look something like XS8b1MWZ0QEKJtM1t+QCofRpCsT2u). In a CRIME attack, the encrypted message is combined with attacker-controlled JavaScript that, letter by letter, performs a brute-force attack on the secret key. When it guesses the letter X as the first character of the cookie secret, the encrypted message will appear differently than an encrypted message that uses W or Y. Once the first character is correctly guessed, the attack repeats the process again on the next character in the key until the remainder of the secret is deduced.
Once the session cookie is decrypted, hackers can exploit it to gain unauthorized access to the user account the session cookie is designed to authenticate. The process from start to finish takes "a few minutes," Rizzo said.
Data compression reduces the number of bytes contained in a file or data stream by removing redundant information. CRIME forces a web browser to compress and encrypt requests that contain attacker-controlled data that is combined with the cookie secret. If one of the requests produces fewer encrypted network packets, that's an indication there's more redundancy in the request, and hence the attacker data and the secret data have more information in common. CRIME algorithms decrypt the session cookies by guessing their contents byte by byte. The attacks don't require any browser plugins, and the use of JavaScript isn't necessary, although it does make the brute-force attack faster.
A side effect of compression, security experts have long known, is that it leaks clues about the encrypted contents. That means it provides a "side channel" to adversaries who have the ability to monitor the data. A research paper published in 2002 by John Kelsey looks eerily similar to CRIME, but only in retrospect.
"I don't think anyone realized that this enables an attack on HTTP over TLS, or that an attacker could learn the value of secret cookies sent over a TLS-encrypted connection," a participant in this online discussion observed. "The paper looks at attacks on compression mainly in the abstract, rather than in the specific context of the web, and is pretty theoretical. So, CRIME (or Thomas Pornin's attack) is still a significant novel extension of these ideas."
("Pornin's attack" is a reference to an exploit described in this blog post, where the well-known cryptographer by that name correctly guessed how CRIME worked based on bare-bones clues offered in previous news coverage of the attack. Other speculation that proved to be correct is here.)
Chain of fools
Last year's BEAST attack worked only against an encryption mode known as cipher block chaining. That limitation allowed engineers to block attacks by using encryption algorithms ciphers such as RC4, which don't rely on the mode. There is no such restriction with compression attacks, so the only known way to block them is to disable TLS compression or apply a SPDY patch that's comparable to the one recently added to Chrome.
Rizzo and Duong are scheduled to demonstrate CRIME on September 21 at the Ekoparty security conference in Buenos Aires. Although the attack no longer works on the three most popular browsers to connect to HTTPS-protected websites, CRIME is a potent reminder of the fragility of the protection of encryption. But it likely won't be the last.
"It is easy to try the idea with a short script," Rizzo told Ars. "It's a practical attack against HTTPS and could be a starting point to attack other secure protocols. It's another powerful tool for attackers with access to your network."
Story updated to add Safari, Opera details, make clear that both Chrome and Firefox were vulnerable until recently.
Listing image by public-domain-image.com
reader comments
40