Engineers who help oversee Internet standards are proposing changes to long-standing website practices in order to guard against a new attack that exposes user login credentials even when they are transmitted through encrypted channels.

The tentative recommendations are included in a draft document filed earlier this week with the IETF, or Internet Engineering Task Force. It is among the first technical documents to grapple with an attack unveiled last month that allowed white hat hackers to decrypt the contents of encrypted session cookies used to log in to user accounts on Dropbox.com, Github.com, and other sites. (The sites took measures to block the exploit after researchers Juliano Rizzo and Thai Duong gave them advanced notice of their exploit.) Short for Compression Ratio Info-leak Made Easy, CRIME provided a reliable and repeatable means for attackers to defeat the widely used secure sockets layer and transport layer security protocols. Together, they form the basis of virtually all encryption between websites and end users.

CRIME is able to deduce the contents of encrypted communications that use data compression to reduce the amount of time it takes to move packets from one point to another. By injecting different pieces of known data into a compressed SSL data stream over and over and then comparing the number of bytes each time, attackers can use the method to deduce the encrypted contents character by character. The method worked against protected Web communications that used TLS compression or SPDY, an open networking protocol developed by Google engineers.

Read 3 remaining paragraphs | Comments

via Ars Technica » Technology Lab http://feeds.arstechnica.com/~r/arstechnica/technology-lab/~3/_0FZOk_t9IE/

Advertisements