Forgot your password?
typodupeerror
Encryption

+ - Attack Uses SSL/TLS Info Leak to Hijack HTTPS Sessions ->

Submitted by Gunkerty Jeb
Gunkerty Jeb (1950964) writes "There is a feature supported by the SSL/TLS encryption standard and used by most of the major browsers that leaks enough information about encrypted sessions to enable attackers decrypt users' supposedly protected cookies and hijack their sessions. The researchers who developed the attack that exploits this weakness say that all versions of TLS are affected, including TLS 1.2, and that the cipher suite used in the encrypted session makes no difference in the success of the attack.

The attack was developed by researchers Juliano Rizzo and Thai Duong, the same pair who last year released details of a similar attack on SSL/TLS and wrote a tool called BEAST, which also gave them the ability to decrypt users' cookies and hijack sessions with sensitive sites such as e-commerce or online banking sites. That attack targeted a specific problem with the AES (Advanced Encryption Standard) algorithm as it was implemented in TLS 1.0 and SSL 3.0 and were able to use the BEAST tool to grab encrypted cookies from active user sessions that were supposedly protected by SSL/TLS.

Once they had the cookie, Rizzo and Duong could return to whatever site the user was visiting and log in using her credentials. The attack caused quite a stir in the security and cryptography communities and browser vendors were forced to issue fixes. One of the workarounds that defeated BEAST (Browser Exploit Against SSL/TLS) was to switch from TLS 1.0 to TLS 1.2 or to switch from AES to the RC4 cipher suite. However, Rizzo said that defense won't work against their new attack, which they've dubbed CRIME."

Link to Original Source
This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Attack Uses SSL/TLS Info Leak to Hijack HTTPS Sessions

Comments Filter:

Pound for pound, the amoeba is the most vicious animal on earth.

Working...