EvilZone

Hacking and Security => Hacking and Security => : McHackzzzzzz February 18, 2014, 12:04:47 AM

: Securing my Website Part One- CRIME SSL/TLS
: McHackzzzzzz February 18, 2014, 12:04:47 AM

Hi all, I have recently set up a website (I won't link for obvious reasons ;) ) and out of interest I ran a Acunetix Web Vulnerability Scan to find that there was a "very high threat level" and it stated that my site was vulnerable to a CRIME SSL/TLS attack.

I have a few questions on this matter:

1. Using words a script kiddie would understand, what is a CRIME SSL/TLS attack?
2.How difficult is to exploit from 1 to 10? (1 being easy and 10 being impossible)
3. Should I be worried?

-Thanks in advance for the help!

: Re: Securing my Website Part One- CRIME SSL/TLS
: lucid February 18, 2014, 12:25:19 AM

A CRIME SSL/TLS attack is very dangerous. I'll answer your questions one by one.

1. SSL stands for Secure Shadow Listener. Basically(in words a script kiddie can understand) what this means is that your site is vulnerable to someone installing a very sneaky listener program on your site. Do you have any identifying information linking yourself to your site? I'm sure you do. It's very hard to avoid this and I doubt you used a elite proxy when you built your website. The SSL virus siphons off information about you from your site. The TLS part is where the exploiting happens. Your website could very easily get rooted and defaced.

2. Hmm. I'd say it would easily be a 3. These attacks are pretty easy to do. I myself find it tempting but since you asked respectably I think I'll leave it alone.

3. Absolutely.

: Re: Securing my Website Part One- CRIME SSL/TLS
: vezzy February 18, 2014, 01:20:37 AM

CRIME and BREACH are kind of bummers, because there is no truly reliable way to mitigate them yet.

However, one decent hack for the time being is to disable HTTP compression for requests with no or outside referers: https://community.qualys.com/message/20360 (https://community.qualys.com/message/20360)

: Re: Securing my Website Part One- CRIME SSL/TLS
: M1lak0 February 18, 2014, 03:51:32 PM

Is there any way to manually check if such vuln lie on the site or not?[size=78%] [/size]

: Re: Securing my Website Part One- CRIME SSL/TLS
: hppd March 08, 2014, 08:34:07 PM

: vezzy  February 18, 2014, 01:20:37 AM

CRIME and BREACH are kind of bummers, because there is no truly reliable way to mitigate them yet.

However, one decent hack for the time being is to disable HTTP compression for requests with no or outside referers: https://community.qualys.com/message/20360 (https://community.qualys.com/message/20360)

Huh? I don't know anything about this hack. But why would this stop an attacker? Referers can be spoofed super easily..