SSL Crime Vulnerability Scanner
Check your SSL/TLS configuration for CRIME vulnerability. Ensure your server does not use HTTP compression for encrypted sessions.
Short Info
Level
Medium
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
20 seconds
Time Interval
1 month 4 days
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
What is SSL CRIME Vulnerability?
SSL CRIME (Compression Ratio Info-leak Made Easy) is a vulnerability that exploits HTTP compression in SSL/TLS connections. By analyzing changes in the size of encrypted data packets during compression, an attacker can infer sensitive information such as session cookies or authentication tokens.
The attack involves sending specially crafted requests to a target server and observing the size of the compressed responses. Through multiple iterations, an attacker can deduce sensitive data by exploiting the predictable nature of compression algorithms. CRIME primarily affects SSL/TLS configurations that support HTTP compression, such as DEFLATE or gzip.
To protect against this vulnerability, HTTP compression should be disabled for encrypted sessions. Modern browsers and servers have largely mitigated CRIME by default, but outdated systems remain susceptible.
