Compression Ratio Info-leak Made Easy (CRIME) is one of the famous security exploit. This attack is used against secret web cookies that use data compression over connections using the HTTPS and SPDY protocols. An attacker can use the CRIME attack to recover the content of the secret authentication cookies. It will also allow an attacker to perform session hijacking on an unauthenticated web session. This privilege will help him launch furthermore attacks to can potentially crash the system. Using CRIME, an attacker can perform attacks like session hijacking to gain access to the victim user’s session. A successful CRIME attack involves an attacker observing the size of ciphertext sent by the browser and also making the browser send malicious requests to the vulnerable server. CRIME is a client-side attack, but there are methods through which a particular server can protect the client. The methods include not implementing deflate compression.
This vulnerability can be exploited by Man-in-the-middle attackers. A man-in-the-middle attack is a silent vulnerability with disastrous power in cryptography and computer security world. It is an attack in which the attacker secretly monitors and alters the communication between two parties.
Beagle recommends the following fixes:-