CRIME (SPDY) attack

Impact: Low


The CRIME (Compression Ratio Info-leak Made Easy) attack targets the SPDY protocol versions 3 and earlier, used in browsers like Mozilla Firefox and Google Chrome. It exploits TLS encryption of compressed data without adequately hiding the length of unencrypted data. By observing length differences, attackers can infer plaintext HTTP headers, potentially leading to session hijacking.


To mitigate CRIME attacks in SPDY, disable SPDY compression or switch to an HTTP/2.0 profile. Implement TLS encryption with Perfect Forward Secrecy (PFS) to prevent decryption of past communications. Regularly update browsers and server software to patch vulnerabilities.


Last updated on May 13, 2024

Use SmartScanner Free version to test for this issue