SSL Crime

Stay Up To Date
Asset Type


Need Membership


Asset Verify


API Support


Estimate Time (Second)


SSL Crime Detail

Check your SSL/TLS configuration for Crime vulnerability. Compression methods you are using may put you into danger. Let's check your SSL for compression security.

What is Crime Vulnerability

Crime stands for "Compression Ratio Info-leak Made Easy". It allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. HTTPS session cookies decrypted by using brute force. Obtained cookie can be used for log in victim's account.

The cookie is retrieved by tricking the browser into sending encrypted compressed requests to protected websites and exploiting the data negligently leaked during the process. Some extra data that has been tweaked by malicious JavaScript code is also embedded along with the cookies within each request. The differences of the compressed messages are measured to determine the cookie’s contents, character by character. This is possible because TLS/SSL and SPDY use a compression algorithm called DEFLATE, which works by removing duplicate strings.

CRIME works against TLS/SSL Compression and SPDY. The recent statistics show that about 42% of the servers support SSL compression and 0.8% supports SPDY.

Some Advice for Common Problems

To avoid from Crime attack, disable SSL compression. Apachi version 2.4.3. and following Nginx versions are vulnerable to Crime.

Need a Full Assessment?

Get help from professional hackers. Learn about our penetration test service now!

Request Pentest Service