The size of a single web request can reveal the entire password to a bank account. This is the terrifying reality exposed by the CRIME vulnerability, a flaw that turned the efficiency of data compression into a weapon for stealing secrets. In the early 2010s, the internet relied on compression to make web pages load faster, but this very feature created a side channel for attackers. When a browser sent data to a secure website, the data was compressed to save bandwidth. If an attacker could trick the browser into sending a request containing a secret cookie alongside data the attacker controlled, the resulting compressed size would change. A smaller size meant the attacker's data matched the secret data, allowing the attacker to deduce the secret one character at a time. This process, known as a chosen plaintext attack, turned the invisible compression algorithm into a visible map of the hidden information.
Architects of the Attack
Adam Langley first hypothesized the theoretical possibility of this attack, but it was Juliano Rizzo and Thai Duong who transformed the theory into a practical weapon. These two security researchers, already known for creating the BEAST exploit, demonstrated that CRIME was not just a theoretical curiosity but a devastating reality. They presented their findings at the 2012 ekoparty security conference, revealing that the attack worked against a wide array of protocols including SPDY, TLS, and HTTP. Their demonstration showed that an attacker did not need to break the encryption itself. Instead, they only needed to observe the size of the ciphertext sent by the browser while inducing the browser to make multiple carefully crafted web connections. By varying the content they injected and watching the size of the compressed payload change, they could use divide and conquer techniques to home in on the true secret content in a relatively small number of probe attempts.The Protocol Trap
The vulnerability exploited the fundamental design of how browsers and servers negotiate security. The Transport Layer Security protocol, specifically version 1.2, allows a client to send a list of compression algorithms in its ClientHello message. The server then picks one of these algorithms and sends it back in its ServerHello message. This negotiation process was the key to the attack. If the client only offered no compression, the data would not be compressed, and the vulnerability would disappear. However, most browsers and servers enabled compression by default to improve performance. The attacker could observe the change in size of the compressed request payload, which contained both the secret cookie sent by the browser only to the target site and variable content created by the attacker. When the size of the compressed content was reduced, it could be inferred that it was probable that some part of the injected content matched some part of the source, which included the secret content that the attacker desired to discover.