Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
Back To Schedule
Thursday, August 22 • 1:50pm - 2:35pm
A Perfect CRIME? Only time will tell

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

In 2012, security researchers shook the world of security with their CRIME attack against the SSL encryption protocol. CRIME (Compression Ratio Info-leak Made Easy) attack used an inherent information leakage vulnerability resulting from the HTTP compression usage to defeat SSL’s encryption. 
However, the CRIME attack had two major practical drawbacks. The first is the attack threat model: CRIME attacker is required to control the plaintext AND to be able to intercept the encrypted message. This attack model limits the attack to mostly MITM (Man In The Middle) situation. 
The second issue is the CRIME attack was solely aimed at HTTP requests. However, most of the current web does not compress HTTP requests. The few protocols that did support HTTP requests compression (SSL compression and SPDY) had dropped their support following the attack details disclosure, by thus rendering the CRIME attack irrelevant. 
In our work we address these two limitations by introducing the TIME (Timing Info-leak Made Easy) attack for HTTP responses. 
By using timing information differential analysis to infer on the compressed payload’s size, the CRIME attack’s attack model can be simplified and its requirements can be loosened. In TIME’s attack model the attacker only needs to control the plaintext, theoretically allowing any malicious site to launch a TIME attack against its innocent visitors, to break SSL encryption and/or Same Origin Policy (SOP). 
Changing the target of the attack from HTTP requests to HTTP responses significantly increases the attack surface, as most of the current web utilizes HTTP response compression to save bandwidth and latency. 

avatar for Tal Be'Ery

Tal Be'Ery

Tal Be’ery is the web security research team leader at Imperva’s Application Defense Center (ADC). In this position, he leads the efforts to capture and analyze hacking activities. The insights obtained in this process are incorporated into the design of new security mechanisms... Read More →

Thursday August 22, 2013 1:50pm - 2:35pm CEST