SSL Crime
Check your SSL/TLS configuration for Crime vulnerability. Compression methods you are using may put you into danger. Let's check your SSL for compression security.
Short Info
Level
Low
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
6 seconds
Time Interval
1 month 4 days
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
What is Crime Vulnerability
Crime stands for "Compression Ratio Info-leak Made Easy". It allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. HTTPS session cookies decrypted by using brute force. Obtained cookie can be used for log in victim's account.
The cookie is retrieved by tricking the browser into sending encrypted compressed requests to protected websites and exploiting the data negligently leaked during the process. Some extra data that has been tweaked by malicious JavaScript code is also embedded along with the cookies within each request. The differences of the compressed messages are measured to determine the cookie’s contents, character by character. This is possible because TLS/SSL and SPDY use a compression algorithm called DEFLATE, which works by removing duplicate strings.
CRIME works against TLS/SSL Compression and SPDY. The recent statistics show that about 42% of the servers support SSL compression and 0.8% supports SPDY.
