SSL Compression Methods

OWASP 2013-A9 OWASP 2017-A9 OWASP PC-C1 PCI v3.2- CAPEC-310 CWE-829 HIPAA-829 ISO27001-A.14.1.2 WSTG-CRYP-01

Compression methods are algorithms used to compress stored files. Data are compressed to achieve the best storage capacity from the server. Compression also helps in transmitting data in compressed form to consume fewer data. There are mainly two types of compression methods:-

  • Lossless: The lossless compression helps to reconstruct the original data from the compressed data.
  • Lossy: The lossy compression reconstructs nearly perfect original data using assumptions and improved compression rate. This compression technology helps to reduce the size of the output file.

Compression helps to reduce data usage. But, compressed data are vulnerable to many attacks. Compression methods are the easiest for exploiting sensitive information. These compression methods are vulnerable to attacks like:-

  • Compression Ratio Info-leak Made Easy (CRIME) attacks: The CRIME is a client-side attack that exploits the compression methods used in the web cookies to extract sensitive information like session cookie and many more.

  • BREACH attacks and many more.

The TLS (Transport Layer Security) protocol includes some features that negotiate selection of a lossless data compression method as part of the TLS Handshake. The protocol can then apply the algorithm associated with the selected method as part of the TLS Record Protocol. The TLS protocol defines one standard compression method which specifies that data exchanged via the record protocol will not be compressed.

Impact

The impact include:-

  • Loss of sensitive information. The attacker can steal sensitive information from the communication channel.
  • Breach attacks

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Avoid the use of compression methods on the client sides. The following browsers won’t support compression:-
    • Internet Explorer (All versions)
    • Google Chrome ( ver 21.0.1180.89 and above)
    • Firefox (ver 15.0.1 and above)
    • Opera (ver 12.01 and above)
    • Safari (ver 5.1.6 and above)
  • Disable use of compression techniques on the server. For Apache users, go to server config.
		SSLCompression off

	

Latest Articles