Crack in Internet's foundation of trust allows HTTPS session hijacking

[Eugen Leitl]

http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

Crack in Internet's foundation of trust allows HTTPS session hijacking

Attack dubbed CRIME breaks crypto used to prevent snooping of sensitive data.

by Dan Goodin - Sep 13, 2012 7:47 am UTC

    Black Hat

    National Security

A screen shot from a video showing CRIME decrypting the contents of an
encrypted cookie used to authenticate a dropbox.com user account.

Researchers have identified a security weakness that allows them to hijack
web browser sessions even when they're protected by the HTTPS encryption that
banks and ecommerce sites use to prevent snooping on sensitive transactions.

The technique exploits web sessions protected by the Secure Sockets Layer and
Transport Layer Security protocols when they use one of two data-compression
schemes designed to reduce network congestion or the time it takes for
webpages to load. Short for Compression Ratio Info-leak Made Easy, CRIME
works only when both the browser and server support TLS compression or SPDY,
an open networking protocol used by both Google and Twitter. Microsoft's
Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all
believed to be immune to the attack, but at time of writing smartphone
browsers and a myriad of other applications that rely on TLS are believed to
remain vulnerable.

CRIME is the latest black eye for the widely used encryption protocols, which
act as the Internet's foundation of trust by encrypting traffic that flows
over open networks and cryptographically proving websites such as Gmail are
really operated by Google rather than criminal hackers or state-sponsored
spies. The specter of a new attack that could subvert one of the only widely
available protections preventing the interception of sensitive e-mails and
web transactions, follows revelations that both Iran and China have actively
worked to defeat it so they could spy on its citizens.

"The CRIME attack is the nation-state attack," Matthew Green, a professor
specializing in cryptography at Johns Hopkins University, told Ars. "It's not
something that some hackers are going to do when you're sitting in Starbucks.
It's really something that Iran is going to do to try to find dissidents or
China is going to do for the same reason. And it's a big deal because of
that, especially if Google and Twitter are the ones who are vulnerable."

Representatives from Google, Mozilla, and Microsoft said their companies'
browsers weren't vulnerable to CRIME attacks. Both Google and Mozilla
released patches after the weaknesses were privately reported by Juliano
Rizzo and Thai Duong, the researchers who devised the CRIME exploits.
Internet Explorer was never vulnerable because it never supported SPDY
(pronounced "speedy") or the TLS compression scheme known as Deflate. That
still leaves open the possibility that a raft of smaller browsers are
susceptible. This webpage maintained by self-described "Web tinkerer" and
Adobe employee Alexis Deveria says that SPDY is supported in beta versions of
Opera and production versions of both Firefox and Chrome for Android, as well
as the Android browser.

Apple's Safari browser doesn't support SPDY, but its use of compression is
unknown. The status of TLS compression in smaller browsers also remained
unknown at time of writing. Rizzo told Ars that encryption schemes used in a
variety of chat applications, virtual private networks, and other software
may also be vulnerable.

Even when a browser is vulnerable, an HTTPS session can only be hijacked when
one of those browsers is used to connect to a site that supports SPDY or TLS
compression. The Qualys SSL Labs page, which tracks the quality of sites that
offer HTTPS protection, shows that services offered by Google and Twitter
support SPDY. Ivan Ristic, director of engineering at security firm Qualys,
told Ars that 42 percent of sites surveyed by his service support TLS
compression. A demonstration video taken by Rizzo and Duong on Wednesday
shows Github.com, Dropbox.com, and Stripe.com succumbing to the CRIME attack,
although all three of those sites had disabled compression at time of
writing, meaning they are no longer vulnerable.

CRIME vs startups

Both the GnuTLS and OpenSSL TLS implementations for clients and servers
respectively support TLS, making it easy for developers and engineers to fold
it into web servers.

The chosen one

Rizzo and Duong are the architects of a separate attack from last year that
also defeated TLS protection. It was dubbed BEAST and was short for Browser
Exploit Against SSL/TLS). Like that attack, compression-based exploits wield
what cryptographers call a chosen plaintext attack on an encrypted session.
The technique mixes clear-text data under the control of the attacker with
the encrypted payload being targeted. By modifying the clear-text payload
hundreds or thousands of times and watching how each one interacts with the
encrypted data, an attacker can deduce its contents, usually character by
character.

Such attacks can be particularly useful against SSL, since the beginning of
each web HTML request contains an authentication cookie with a secret key
(which may look something like XS8b1MWZ0QEKJtM1t+QCofRpCsT2u). In a CRIME
attack, the encrypted message is combined with attacker-controlled JavaScript
that, letter by letter, performs a brute-force attack on the secret key. When
it guesses the letter X as the first character of the cookie secret, the
encrypted message will appear differently than an encrypted message that uses
W or Y. Once the first character is correctly guessed, the attack repeats the
process again on the next character in the key until the remainder of the
secret is deduced.

Once the session cookie is decrypted, hackers can exploit it to gain
unauthorized access to the user account the session cookie is designed to
authenticate. The process from start to finish takes "a few minutes," Rizzo
said.

Data compression reduces the number of bytes contained in a file or data
stream by removing redundant information. CRIME forces a web browser to
compress and encrypt requests that contain attacker-controlled data that is
combined with the cookie secret. If one of the requests produces fewer
encrypted network packets, that's an indication there's more redundancy in
the request, and hence the attacker data and the secret data have more
information in common. CRIME algorithms decrypt the session cookies by
guessing their contents byte by byte. The attacks don't require any browser
plugins, and the use of JavaScript isn't necessary, although it does make the
brute-force attack faster.

A side effect of compression, security experts have long known, is that it
leaks clues about the encrypted contents. That means it provides a "side
channel" to adversaries who have the ability to monitor the data. A research
paper published in 2002 by John Kelsey looks eerily similar to CRIME, but
only in retrospect.

"I don't think anyone realized that this enables an attack on HTTP over TLS,
or that an attacker could learn the value of secret cookies sent over a
TLS-encrypted connection," a participant in this online discussion observed.
"The paper looks at attacks on compression mainly in the abstract, rather
than in the specific context of the web, and is pretty theoretical. So, CRIME
(or Thomas Pornin's attack) is still a significant novel extension of these
ideas."

("Pornin's attack" is a reference to an exploit described in this blog post,
in which the well known cryptographer by that name correctly guessed how
CRIME worked based on bare-bones clues offered in previous news coverage of
the attack. Other speculation that proved to be correct is here.)

Chain of fools

Last year's BEAST attack worked only against an encryption mode known as
cipher block chaining. That limitation allowed engineers to block attacks by
using encryption algorithms such as RC4, which don't rely on the mode. There
is no such restriction with compression attacks, so the only known way to
block them is to disable TLS compression or apply a SPDY patch that's
comparable to the one recently added to Chrome.

Rizzo and Duong are scheduled to demonstrate CRIME on September 21 at the
Ekoparty security conference in Buenos Aires. Although the attack no longer
works on the three most popular browsers to connect to HTTPS-protected
websites, CRIME is a potent reminder of the fragility of the protection of
encryption. But it likely won't be the last.

"It is easy to try the idea with a short script," Rizzo told Ars. "It's a
practical attack against HTTPS and could be a starting point to attack other
secure protocols. It's another powerful tool for attackers with access to
your network."

Story updated to add Safari details.