Compression Ration Info-leak Made Easy (CRIME)
Author: HollyGraceful Published: 21 October 2022 Last Updated: 03 November 2022
Compression Ration Info-leak Made Easy (CRIME) is a vulnerability in the compression used in Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It also affects Google’s HTTP-like protocol SPDY. It requires an attacker to perform an interception attack but if successful could allow for the decryption of session tokens and other sensitive cookie values. The attack was demonstrated as practical in 2012.
Although CRIME is effectively a client-side issue, it can be mitigated on the server-side by preventing the use of compression.
However, this attack is largely impractical now due to being mitigated in most web browsers in 2012, generally by disabling the use of SSL/TLS compression. In other cases, such as with Internet Explorer, it simply did not support SSL/TLS compression in the first place.
It is recommended that:
- All versions of SSL are disabled.
- Disable TLSv1.0 and TLSv1.1.
Where this is not possible disable SSL compression.