A CRIME Attack or Compression Ratio Info-leak Made Easy Attack is an attack in which the attacker manages to decrypt the HTTPS cookie placed in a computer of a user and exploit that to impersonate the user in a web application and steals sensitive data thereafter. This attack is possible for HTTPS connections that also use data compression feature of SSL/TLS.
The attack was first found by two security researchers Juliano Rizzo and Thai Duong.
Let's understand what that attack is actually.
HTTPS protocol internally uses SSL/TLS. When two hosts connect to each other using HTTPS protocol, a TLS connection is first established and then the data is transferred in encrypted fashion. So, it is very difficult for an eavesdropper to listen to the conversation and get sensitive information.
On the other hand, when a user logs in to a web application, authentication information is stored in a cookie inside the user's computer. So, after authentication, if the user's browser makes any HTTPS request to the web application, the authentication information stored in the cookie is used.
If an attacker has access to the authentication cookie, he can impersonate the victim to log in to his account in the web application. But, normally it is very difficult for the attacker to access this authentication cookie. Moreover, in HTTPS connection, the cookie is compressed using lossless data compression algorithm and then encrypted and is sent. So, the attacker cannot get the value of the cookie by mere eavesdropping.
In CRIME Attack, the attacker sends several HTTPS requests to the web application with a cookie value which is appended with a few random characters over the actual cookie of the victim. And, listens to the conversation to get the compressed and encrypted value of the cookie. After that, the attacker analyzes the results to get the actual value of the cookie.
To understand further, we need to know a little bit about the lossless compression algorithm that is used in the HTTPS connections.
Let's suupose, the value of the cookie is :
After compression, the value of the cookie would be :
At this point, if we prepend the data with one more A, the cookie and its compressed value would be :
But, if we prepend the value with a B, the cookie and its compressed value would be :
So, if we prepend the data with a B, the compressed value will be less than the compressed value of the data when we prepend it with an A. Thus we have come to know the first part of the data, which is a B. Next, we can prepend the original data with BA, BB and so on and find out that the rest of the data.
So, if someone prepends the data with some carefully chosen values and observes the length of the compressed values, he will be able to guess the whole data. This is true even after the data is encrypted after compression. If someone prepends the original data with random data and observes the length of the compressed and encrypted data, the same relationship will hold.
Now, in a CRIME attack, the attacker first uses some social engineering to trick the victim to click on a link. He may send the victim an email saying, Look at some interesting pictures ! The link actually points to a malicious script of the attacker's website.
When a victim clicks on the link when he is already authenticated to the web application, the malicious script will run and it will send several HTTPS request to the web application using the authentication cookie of the victim, prepended with some random bytes.
At this point, if the attacker is on same wireless networks as that of the victim or is controlling the router of the victim or is in same local networks as that of the victim, the attacker can now listen to the conversation and observe the length of the compressed and encrypted cookie with each HTTPS requests.
As explained above, because of the property of the compression algorithm used in HTTPS connections, the attacker can analyze those values and derive the value of the authentication cookie.
The attacker can now easily impersonate the victim and login to the victim's account in the web application to steal his sensitive data like credit card numbers, social security numbers, passwords etc.
- One way of dealing with CRIME attack is to disable compression mechanism in HTTPS requests.
- TLS connections should use Cipher Chaining Block or CBC ciphers. This will reduce the relationship of encrypted data with the plaintext data, thereby making it much difficult for the attackers to analyze the encrypted data and deduce the actual value of data.
- Cross Site Request Forgery or CSRF Attacks must be prevented efficiently. Because the attacker first injects his malicious script to make several HTTPS requests using CSRF attacks only.
- Browsers should be upgraded with recent security patches.
So, beware of various security vulnerabilities, so that you can protect your data in a better way and stay safe, stay secured.