![]() Divide and conquer techniques can then be used to home in on the true secret content in a relatively small number of probe attempts that is a small multiple of the number of secret bytes to be recovered. When the size of the compressed content is reduced, it can be inferred that it is probable that some part of the injected content matches some part of the source, which includes the secret content that the attacker desires to discover. The attacker than observes the change in size of the compressed request payload, which contains both the secret cookie that is sent by the browser only to the target site, and variable content created by the attacker, as the variable content is altered. It relies on the attacker being able to observe the size of the ciphertext sent by the browser while at the same time inducing the browser to make multiple carefully crafted web connections to the target site. The vulnerability exploited is a combination of chosen plaintext attack and inadvertent information leakage through data compression, similar to that described in 2002 by the cryptographer John Kelsey. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. For other uses, see Crime (disambiguation).ĬRIME ( Compression Ratio Info-leak Made Easy) is a security vulnerability in HTTPS and SPDY protocols that utilize compression, which can leak the content of secret web cookies.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |