'CRIME' attack abuses SSL/TLS data compression feature to hijack HTTPS
The 'CRIME' attack announced last week exploits the data compression scheme used by the TLS (Transport Layer Security) and SPDY protocols to decrypt user authentication cookies from HTTPS (HTTP Secure) traffic, one of the attack's creators confirmed Thursday.
The 'CRIME' attack was developed by security researchers Juliano Rizzo and Thai Duong, who plan to present it next week at the Ekoparty security conference in Buenos Aires, Argentina.
Rizzo and Duong revealed last week that CRIME abuses an optional feature present in all versions of TLS and SSL (Secure Sockets Layer) -- the cryptographic protocols used by HTTPS. However, they declined to name the feature at that time.