Security professionals are recommending that operators of websites offering the secure hypertext transfer protocol (HTTPS) disable a bandwidth-saving compression feature to prevent a recently disclosed attack that permits the hijacking of encrypted browsing sessions.
As previously reported by Ars, browsers from Microsoft, Google, Mozilla, Apple, and Opera aren’t vulnerable to the exploit dubbed CRIME, which is short for Compression Ratio Info-leak Made Easy. But until recently both Chrome and Firefox users were susceptible to attacks that allowed hackers to decrypt secure cookies used to log in to e-mail and online bank accounts. Given the number of smaller browsers in use, or the possibility some end users may be using out-of-date software, website operators may want to proactively disable compression used during sessions protected by the SSL, or secure sockets layer, protocol.
“It’s clear that there are an uncountable number of ways to exploit the vulnerability if it is present,” researchers for security firm iSEC Partners wrote in a recent blog post. “Rather than trying to block individual avenues to exploitation—which is likely impossible—we recommend you mitigate the issue at the source by disabling SSL Compression (and SPDY Compression is used.)”
Article by Dan Goodin