View Single Post
  #1   (View Single Post)  
Old 10th September 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default New attack against TLS/SSL obtains session cookies from HTTPS

As reported in full by ComputerWorld, the two reasearchers who developed the BEAST attack against TLS 1.0 have developed a new protocol attack they call "CRIME":
Quote:
The attack exploits a weakness in a particular feature of the TLS (Transport Layer Security) cryptographic protocol and its predecessor, the SSL (Secure Sockets Layer) protocol, which are used to implement HTTPS.

All SSL and TLS versions are affected and the exploited feature is commonly used in SSL/TLS deployments...
Computerworld noted that both Mozilla and Google have already prepared patches that block the attack vector to their browsers.

As with BEAST last year, details will only be released at the Ekoparty Security Conference to be held in Buenos Aires later this month.
Reply With Quote