SSL Crime

Check your SSL/TLS configuration for Crime vulnerability. Compression methods you are using may put you into danger. Let's check your SSL for compression security.

Short Info

Level

Low

Type

Single Scan

Can be used by

Asset Owner

Estimated Time

6 sec

Scan only one

Domain, Ipv4

Parent Category

SSL Crime Detail

What is Crime Vulnerability

Crime stands for "Compression Ratio Info-leak Made Easy". It allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. HTTPS session cookies decrypted by using brute force. Obtained cookie can be used for log in victim's account.

The cookie is retrieved by tricking the browser into sending encrypted compressed requests to protected websites and exploiting the data negligently leaked during the process. Some extra data that has been tweaked by malicious JavaScript code is also embedded along with the cookies within each request. The differences of the compressed messages are measured to determine the cookie’s contents, character by character. This is possible because TLS/SSL and SPDY use a compression algorithm called DEFLATE, which works by removing duplicate strings.

CRIME works against TLS/SSL Compression and SPDY. The recent statistics show that about 42% of the servers support SSL compression and 0.8% supports SPDY.

cyber security services for everyone one. Free security tools, continuous vulnerability scanning and many more.

Try it yourself,
control security posture

Get free usage

Learn More About Product