Pages: [1]

Author Topic: Securing my Website Part One- CRIME SSL/TLS  (Read 699 times)

0 Members and 3 Guests are viewing this topic.

Offline McHackzzzzzz

  • NULL
  • Posts: 1
  • Cookies: 0
    • View Profile
Securing my Website Part One- CRIME SSL/TLS
« on: February 18, 2014, 12:04:47 am »
Hi all, I have recently set up a website (I won't link for obvious reasons ;) ) and out of interest I ran a Acunetix Web Vulnerability Scan to find that there was a "very high threat level" and it stated that my site was vulnerable to a CRIME SSL/TLS attack.

I have a few questions on this matter:

1. Using words a script kiddie would understand, what is a CRIME SSL/TLS attack?
2.How difficult is to exploit from 1 to 10? (1 being easy and 10 being impossible)
3. Should I be worried?

-Thanks in advance for the help!
« Last Edit: February 18, 2014, 12:14:02 am by McHackzzzzzz »
Report to moderator   Logged

Offline lucid

  • #Underground
  • Titan
  • **
  • Posts: 2683
  • Cookies: 243
  • psychonaut
    • View Profile
Re: Securing my Website Part One- CRIME SSL/TLS
« Reply #1 on: February 18, 2014, 12:25:19 am »
A CRIME SSL/TLS attack is very dangerous. I'll answer your questions one by one.

1. SSL stands for Secure Shadow Listener. Basically(in words a script kiddie can understand) what this means is that your site is vulnerable to someone installing a very sneaky listener program on your site. Do you have any identifying information linking yourself to your site? I'm sure you do. It's very hard to avoid this and I doubt you used a elite proxy when you built your website. The SSL virus siphons off information about you from your site. The TLS part is where the exploiting happens. Your website could very easily get rooted and defaced.

2. Hmm. I'd say it would easily be a 3. These attacks are pretty easy to do. I myself find it tempting but since you asked respectably I think I'll leave it alone.

3. Absolutely.
« Last Edit: February 18, 2014, 12:26:12 am by lucid »
Report to moderator   Logged
"Hacking is at least as much about ideas as about computers and technology. We use our skills to open doors that should never have been shut. We open these doors not only for our own benefit but for the benefit of others, too." - Brian the Hacker

Quote
15:04  @Phage : I'm bored of Python

Offline vezzy

  • Royal Highness
  • ****
  • Posts: 771
  • Cookies: 172
    • View Profile
Re: Securing my Website Part One- CRIME SSL/TLS
« Reply #2 on: February 18, 2014, 01:20:37 am »
CRIME and BREACH are kind of bummers, because there is no truly reliable way to mitigate them yet.

However, one decent hack for the time being is to disable HTTP compression for requests with no or outside referers: https://community.qualys.com/message/20360
Report to moderator   Logged
Quote from: Dippy hippy
Just brushing though. I will be semi active mainly came to find a HQ botnet, like THOR or just any p2p botnet

Offline M1lak0

  • Peasant
  • *
  • Posts: 129
  • Cookies: 10
    • View Profile
Re: Securing my Website Part One- CRIME SSL/TLS
« Reply #3 on: February 18, 2014, 03:51:32 pm »
Is there any way to manually check if such vuln lie on the site or not?[size=78%] [/size]
Report to moderator   Logged
"Security is just an illusion"

Offline hppd

  • Knight
  • **
  • Posts: 163
  • Cookies: 7
    • View Profile
Re: Securing my Website Part One- CRIME SSL/TLS
« Reply #4 on: March 08, 2014, 08:34:07 pm »
Quote from: vezzy on February 18, 2014, 01:20:37 am
CRIME and BREACH are kind of bummers, because there is no truly reliable way to mitigate them yet.

However, one decent hack for the time being is to disable HTTP compression for requests with no or outside referers: https://community.qualys.com/message/20360
Huh? I don't know anything about this hack. But why would this stop an attacker? Referers can be spoofed super easily..
Report to moderator   Logged
Pages: [1]