Overview#

CRIME is an Data Leakage Exploit which was theorized years ago, but as vividly demonstrated as in the demonstration they recently published.

CRIME Exploits TLS Compression, in the same setup than the BEAST attack (attacker can send some data of its own in a SSL connection, where interesting target data such as a cookie is also sent). Roughly speaking, the attacker puts in its data a potential value for the target string, and, if it matches, compression makes the resulting records shorter.

CRIME is avoided by disabling TLS-level compression. Which is what most browsers now do.

Internet Explorer and IIS never implemented TLS-level compression in the first place (for once, sloppiness saved the day); Firefox and Chrome implemented it, and deactivated in 2014 Summer they were forewarned by Duong and Rizzo, who are quite responsible in their activity.

More details on CRIME:#

• https://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor

More Information#

There might be more information for this subject on one of the following:

• Attack
• BREACH (security exploit)
• How To Crack SSL-TLS
• Record Protocol
• TLS Compression