On 2/11/19 5:28 PM, Peter Eisentraut wrote:
One mitigation is to not write code like that, that is, don't put secret
parameters and user-supplied content into the same to-be-compressed
chunk, or at least don't let the end user run that code at will in a
tight loop.
The difference in CRIME is that the attacker supplied the code. You'd
trick the user to go to http://evil.com/ (via spam), and that site
automatically runs JavaScript code in the user's browser that contacts
https://bank.com/, which will then automatically send along any secret
cookies the user had previously saved from bank.com. The evil
JavaScript code can then stuff the requests to bank.com with arbitrary
bytes and run the requests in a tight loop, only subject to rate
controls at bank.com.
Right, CRIME is worse since it cannot be mitigated by the application
developer. But even so I do not think that my query is that odd. I do
not think that it is obvious to most application developer that putting
user supplied data close to sensitive data is potentially dangerous.
Will this attack ever be useful in practice? No idea, but I think we
should be aware of what risks we open our end users to.
Andreas
