dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed


reply to MagnusM

Re: Google disables SSL compression in Chrome against new attack

Crack in Internet's foundation of trust allows HTTPS session hijacking:

CRIME works only when both the browser and server support TLS compression or SPDY

Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable.

Representatives from Google, Mozilla, and Microsoft said their companies' browsers weren't vulnerable to CRIME attacks. Both Google and Mozilla released patches after the weaknesses were privately reported by Juliano Rizzo and Thai Duong, the researchers who devised the CRIME exploits. Internet Explorer was never vulnerable because it never supported SPDY (pronounced "speedy") or the TLS compression scheme known as Deflate.

Even when a browser is vulnerable, an HTTPS session can only be hijacked when one of those browsers is used to connect to a site that supports SPDY or TLS compression.

Months ago I'd disabled SPDY in Firefox to ensure continued correct Proxo filtering. Looks like an even better decision now.