ID: IRCNE2012091612
Date: 2012-09-10
According to "techworld", two security researchers claim to have developed a new attack that can decrypt session cookies from HTTPS (Hypertext Transfer Protocol Secure) connections.
Websites use session cookies to remember authenticated users. If an attacker gains access to a user's session cookie while the user is still authenticated to a website, the hacker could use it to access the user's account on that website.
HTTPS should prevent this type of session hijacking because it encrypts session cookies while in transit or when stored in the browser. However, the new attack, devised by security researchers Juliano Rizzo and Thai Duong, is able to decrypt them.
The attack exploits a weakness in a particular feature of the TLS (Transport Layer Security) cryptographic protocol and its predecessor, the SSL (Secure Sockets Layer) protocol, which are used to implement HTTPS.
All SSL and TLS versions are affected and the exploited feature is commonly used in SSL/TLS deployments, Rizzo said Thursday via email. The researcher declined to reveal which feature is vulnerable before the attack's presentation at Ekoparty.
The CRIME attack code, known as an agent, needs to be loaded inside the victim's browser. This can be done either by tricking the victim into visiting a rogue website or, if the attacker has control over the victim's network, by injecting the attack code into an existing HTTP connection.
CRIME was tested successfully with Mozilla Firefox and Google Chrome. However, other browsers could also be affected, Rizzo said.
Mozilla and Google have already prepared patches that block the attack but they have not yet been released, the researcher said.
- 2