Like BEAST, CRIME is an attack against SSL/TLS sessions. Details have not been released, but it is understood that all versions of TLS, including version 1.2, are vulnerable. This is important because upgrading browsers to TLS 1.2 was one of the solutions against BEAST. This will not work against CRIME.
The attack requires a man-in-the-middle position on the network. "By running JavaScript code in the browser of the victim and sniffing HTTPS traffic, we can decrypt session cookies. We don't need to use any browser plug-in and we use JavaScript to make the attack faster but in theory we could do it with static HTML," said Rizzo.
Encrypted session cookies are used to maintain a secure connection with a website. With the CRIME attack these can be sniffed and decrypted. For so long as the target’s current session is open, attackers can then use the same credentials to access the user’s account, whether that’s an e-commerce or banking site. “We present a new set of attacks against old and new secure Internet protocols,” say the researchers. “Some of the most popular websites, browsers, and protocols are vulnerable. By vulnerable we meant the duo sitting next to you in coffee shops can get access to your emails, bank accounts, social networks...”
The theoretical risk exploited by Rizzo and Duong is apparently not unknown. “However,” said Rizzo, “we haven't found previous research showing how efficient an attack could be or any attempt by the authors of secure protocols to avoid the problem.”
The attack the duo have now developed has been tested, and works, against Chrome and Firefox. Other browsers are likely to be vulnerable. Chrome and Firefox are understood to have patches available. They will apparently be released within the next couple of weeks to coincide with the Ekoparty presentation.