Compression Ration Info-leak Made Easy (CRIME) is a vulnerability in the compression used in Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It also affects Google’s HTTP-like protocol SPDY. It requires an attacker to perform an interception attack but if successful could allow for the decryption of session tokens and other sensitive cookie values. The attack was demonstrated as practical in 2012.
Although CRIME is effectively a client-side issue, it can be mitigated on the server-side by preventing the use of compression.
However, this attack is largely impractical now due to being mitigated in most web browsers in 2012, generally by disabling the use of SSL/TLS compression. In other cases, such as with Internet Explorer, it simply did not support SSL/TLS compression in the first place.
It is recommended that:
- All versions of SSL are disabled.
- Disable TLSv1.0 and TLSv1.1.
Where this is not possible disable SSL compression.
Decrypting RSA with Obsolete and Weakened Encryption (DROWN)
Decrypting RSA with Obsolete and Weakened Encryption (DROWN) is a vulnerability in servers that support Secure Sockets Layer (SSL) version 2.0. It is a form of cross-platform Bleichenbacher padding oracle attack and would allow a threat actor that is able to perform an interception attack to decrypt intercepted TLS connections by making [...]| Play | Cover | Release Label |
Track Title Track Authors |
|---|