Security researchers to present new 'CRIME' attack against SSL/TLS

[InfoSec News <alerts () infosecnews org>]

http://www.computerworld.com/s/article/9231013/Security_researchers_to_present_new_39_CRIME_39_attack_against_SSL_TLS

By Lucian Constantin
IDG News Service
September 6, 2012

Two security researchers claim to have developed a new attack that can 
decrypt session cookies from HTTPS (Hypertext Transfer Protocol Secure) 
connections.

Websites use session cookies to remember authenticated users. If an 
attacker gains access to a user's session cookie while the user is still 
authenticated to a website, the hacker could use it to access the user's 
account on that website.

HTTPS should prevent this type of session hijacking because it encrypts 
session cookies while in transit or when stored in the browser. However, 
the new attack, devised by security researchers Juliano Rizzo and Thai 
Duong, is able to decrypt them.

Rizzo and Duong dubbed their attack CRIME and plan to present it later 
this month at the Ekoparty security conference in Buenos Aires, 
Argentina.

[...]


--
#HITB2012KUL - The 10TH ANNUAL HITB Security Conference in Malaysia
with no keynotes, no labs - just three tracks filled with our most
popular speakers from the last decade: http://conference.hitb.org/