[Owasp-ireland] A CRIME for Friday

Fabio Cerullo fcerullo at owasp.org
Fri Sep 14 10:52:08 UTC 2012


hi there,

This week everybody is talking about a CRIME attack against TLS to be
presented at the EkoParty conference in Buenos Aires by Juliano Rizzo and
Thai Duong (same crowd who won the “Top Ten Web Hacking Techniques” for
both 2011 and 2010 for their work on BEAST and the Padding Oracle’ Crypto
Attack). Here is an introduction to the talk:

“Researchers have identified a security weakness that allows them to hijack
web browser sessions even when they’re protected by the HTTPS encryption
that banks and e-commerce sites use to prevent snooping on sensitive
transactions.”

Already caught your attention right? Well, I'm sharing below a few blog
articles explaining possible causes on how this attack could be
accomplished with live demo included.

*Blog post by Whitehat explaining different attack scenarios:
*http://blog.whitehatsec.com/crime-mitm-and-xss/
*
Blog post by Cigital explaining potential problem with the TLS algorithm:*
http://www.cigital.com/justice-league-blog/2012/09/13/crime-latest-attack-against-tls/


*Demo of the CRIME TLS Attack:
*http://threatpost.com/en_us/blogs/demo-crime-tls-attack-091212

Happy Friday!

Fabio
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-ireland/attachments/20120914/45fc6271/attachment.html>


More information about the Owasp-ireland mailing list