Protecting Against the CRIME Attack
With the advent of CRIME, the successor to BEAST, individuals and system owners need to know how to protect themselves and their users against this new attack on TLS.
One possible protection against this attack is to disable compression support in your client or server. SSL/TLS optionally supports data compression, but compression algorithms can be exploited by attackers.
Compression algorithms are specified by one-byte identifiers, and TLS 1.2 (RFC 5246) defines only the null compression method. Other documents specify compression methods, such as DEFLATE which is based on LZ77-derivative and is used in GZip and Zip archives.
The CRIME attack exploits the repeated subsequences of bytes in compressed data. The attacker can send arbitrary requests containing different values for the ‘Cookie: secret’ header. By observing the length of the compressed request, the attacker can guess the value of the secret byte by byte.
Although it is a shame to disable SSL compression because of its usefulness in reducing bandwidth requirements, it is necessary to protect against the CRIME attack. HTTP-level compression, which applies only to the body of the requests and responses, is still fine.
In conclusion, regardless of whether the CRIME attack is based on compression or something completely different, disabling compression support in your client or server is a crucial step to protect against this attack.
Edit 2012/09/12: The attack can be optimized by using a dichotomy method to guess the unknown byte value of the secret. By making multiple requests with different variants of the ‘Cookie: secret’ header, the attacker can determine the value of the secret byte in a shorter time.
Edit 2012/09/13: The CRIME attack has been confirmed to abuse compression, similar to the method explained above.