CRIME (SPDY) attack
Impact: Low
Description
The CRIME (Compression Ratio Info-leak Made Easy) attack targets the SPDY protocol versions 3 and earlier, used in browsers like Mozilla Firefox and Google Chrome. It exploits TLS encryption of compressed data without adequately hiding the length of unencrypted data. By observing length differences, attackers can infer plaintext HTTP headers, potentially leading to session hijacking.
Recommendation
To mitigate CRIME attacks in SPDY, disable SPDY compression or switch to an HTTP/2.0 profile. Implement TLS encryption with Perfect Forward Secrecy (PFS) to prevent decryption of past communications. Regularly update browsers and server software to patch vulnerabilities.
References
- CVE-2012-4930
- CWE-16
- CWE-310
- OWASP 2021-A2
- OWASP 2021-A5
- OWASP 2021-A6
- Wikipedia: CRIME
- Wikipedia: Man-in-the-middle attack
👉 You might also like:
CRIME (SSL/TLS) attack - CVE-2012-4929
BREACH attack - CVE-2013-3587
The POODLE attack - CVE-2014-3566
Secure Renegotiation is not supported - CVE-2009-3555
Last updated on May 13, 2024