Skip to content
— CH. 1 · INTRODUCTION —

CRIME

~4 min read · Ch. 1 of 6
6 sections
  • CRIME stands for Compression Ratio Info-leak Made Easy, and it turns one of the web's helpful conveniences into a weapon. Data compression exists to make web traffic smaller and faster. This vulnerability proves that smaller can also mean leaky. CRIME targets HTTPS and SPDY protocols that use compression, and it can leak the content of secret web cookies. Recover the right cookie, and an attacker can hijack an authenticated web session.

    The trick is almost deceptively simple. An attacker watches how big a compressed message becomes, then nudges it slightly and watches again. How does measuring the size of scrambled data reveal a secret hidden inside it? Why did a feature meant to save bandwidth open a door to session hijacking? And how did a fix for one form of CRIME leave another form untouched for more than a year? The answers run from a cryptographer's 2002 insight to a security conference stage in 2012.

  • Chosen plaintext attack and inadvertent information leakage through data compression: those two ideas combine to make CRIME possible. The second of them was described in 2002 by the cryptographer John Kelsey, long before anyone built a working exploit around it. CRIME relies on the attacker being able to observe the size of the ciphertext sent by the browser. At the same time, the attacker induces the browser to make multiple carefully crafted web connections to the target site.

    Every request the browser sends carries two things bundled together. One is the secret cookie, which the browser sends only to the target site. The other is variable content created by the attacker. The attacker alters that variable content and watches the change in size of the compressed request payload. When the compressed size shrinks, that drop is a clue. It suggests that some part of the injected content matches some part of the source, which includes the secret the attacker wants.

    A single shrinking message is not enough on its own. Divide and conquer techniques let the attacker home in on the true secret content. The payoff is efficiency: the number of probe attempts is only a small multiple of the number of secret bytes to be recovered. That economy is what makes a guessing game against a hidden cookie practical rather than hopeless.

  • Adam Langley hypothesized the CRIME exploit before anyone proved it could work in the real world. The first working demonstration came from security researchers Juliano Rizzo and Thai Duong. The same pair had earlier created the BEAST exploit, so this was not their first strike against web security. CRIME was due to be revealed in full at the 2012 ekoparty security conference.

    Rizzo and Duong did not frame CRIME as a narrow trick against one protocol. They presented it as a general attack that works effectively against a large number of protocols. The list includes SPDY, which always compresses request headers. It also includes TLS, which may compress records, and HTTP, which may compress responses. That breadth is why the same underlying weakness would later resurface under a different name.

  • Compression is the fuel CRIME runs on, so removing compression defeats it. The fix can happen at either end of the connection. A browser can disable the compression of SPDY requests at the client end. A website can refuse data compression on such transactions using the protocol negotiation features of the TLS protocol.

    The Transport Layer Security Protocol Version 1.2 spells out how that negotiation works. The client sends a list of compression algorithms in its ClientHello message. The server then picks one of them and sends it back in its ServerHello message. Because the server can only choose a method the client has offered, a client that offers only 'none' guarantees no compression. The rule runs the other way too. Since 'no compression' must be allowed by all TLS clients, a server can always refuse to compress.

  • The latest versions of the Chrome and Firefox web browsers mitigated the CRIME exploit against SPDY and TLS-level compression. Some websites applied their own countermeasures as well. On the server side, the nginx web-server avoided the flaw early. It was not vulnerable since versions 1.0.9 and 1.1.6 in October and November 2011 when using OpenSSL 1.0.0 and above. It was safe across all versions of OpenSSL since 1.2.2 and 1.3.2 in June and July 2012.

    Those fixes covered SPDY and TLS, but not everything. As of December 2013, the CRIME exploit against HTTP compression had not been mitigated at all. Rizzo and Duong warned that this strand of the vulnerability might be even more widespread than SPDY and TLS compression combined. That warning pointed straight at the unfinished half of the problem.

  • At the August 2013 Black Hat conference, researchers Gluck, Harris and Prado announced a variant of the CRIME exploit. They named it BREACH, short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext. Rather than attacking the protocol layers others had already patched, BREACH aimed at HTTP compression.

    BREACH uncovers HTTPS secrets by attacking the inbuilt HTTP data compression used by webservers. That compression exists to reduce network traffic, the same well-meaning optimization that gave CRIME its name. By targeting the strand still unmitigated in late 2013, BREACH turned an open warning into a working attack against the very compression websites relied on to stay fast.

Common questions

What is the CRIME security vulnerability?

CRIME, short for Compression Ratio Info-leak Made Easy, is a security vulnerability in HTTPS and SPDY protocols that use compression. It can leak the content of secret web cookies, and recovering an authentication cookie lets an attacker perform session hijacking on an authenticated web session.

How does the CRIME attack work?

CRIME combines a chosen plaintext attack with information leakage through data compression. The attacker observes the size of the ciphertext sent by the browser while inducing it to make crafted connections, then watches the compressed payload shrink when injected content matches the secret cookie. Divide and conquer techniques recover the secret in a number of probes that is a small multiple of the secret's byte length.

Who discovered the CRIME exploit?

The CRIME exploit was hypothesized by Adam Langley and first demonstrated by security researchers Juliano Rizzo and Thai Duong. Rizzo and Duong also created the earlier BEAST exploit and were due to reveal CRIME in full at the 2012 ekoparty security conference.

How can the CRIME vulnerability be prevented?

CRIME can be defeated by preventing the use of compression at either end of the connection. A browser can disable compression of SPDY requests, or a website can refuse compression using the TLS protocol negotiation, where a client offering only 'none' or a server refusing compression ensures data is not compressed.

What is the BREACH attack and how is it related to CRIME?

BREACH, short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext, is a variant of the CRIME exploit announced at the August 2013 Black Hat conference by researchers Gluck, Harris and Prado. It uncovers HTTPS secrets by attacking the inbuilt HTTP data compression that webservers use to reduce network traffic.

Was the CRIME exploit against HTTP compression fixed?

As of December 2013, the CRIME exploit against HTTP compression had not been mitigated at all, even though the SPDY and TLS-level versions were addressed in the latest Chrome and Firefox browsers. Rizzo and Duong warned that this HTTP variant might be even more widespread than SPDY and TLS compression combined.

All sources

11 references cited across the entry

  1. 1webCVE-2012-4929Mitre Corporation
  2. 2bookFast Software EncryptionJ. Kelsey — 2002
  3. 4webCRIME - How to beat the BEAST successor?StackExchange.com — September 8, 2012
  4. 6webThe CRIME attackJuliano Rizzo et al. — Ekoparty
  5. 8webCrack in Internet's foundation of trust allows HTTPS session hijackingDan Goodin — Ars Technica — September 13, 2012
  6. 9webThe perfect CRIME? New HTTPS web hijack attack explainedJohn Leyden — September 14, 2012
  7. 10webNginx mailing list: crime tls attackIgor Sysoev — nginx.org — September 26, 2012