Is my understanding correct that the attack described there requires all of 1. cookies associated with the target, 2. the ability to monitor the length of requests to the target, and 3. the ability to send requests to the target (e.g. JavaScript injection, malicious website)?
I guess this is actually an instance where those Hollywood "guess the password one character at a time" animations would make sense.
Due to the padding of even compressed SSL segments only having timing data will significantly complicate things. You'll be trying to measure the variance in deflate compressing different blocks with single byte differences. You better have an extremely low jitter connection!
Low jitter is not a requirement for timing side-channel attacks. As long as the jitter is uncorrelated with the timing difference that you're after, you can filter the signal from the noise.
Pretty much never. How often do they make requests that are at least partially attacker-controlled, though? (Note that variants on https://www.someapi.com/...?username=foo contain attacker-controlled data...)
To expand on your second point, if you have 3, then in many cases you also have the ability to intercept and modify non-encrypted traffic. Meaning, if the victim is using a secure web site and a non-secure site at the same time, the MITM can infiltrate the non-secure site and use it to generate requests to the secure site.
I don't know what you're saying. If you're saying that the "Secure" flag won't defend against CRIME, nobody is saying that. I'm saying that the "Secure" flag and HSTS mitigates SSL-stripping.
I think both ivanr and thatwonthelp were suggesting that any non-secure site (same origin or not) can be hijacked in order to make the requests necessary for this attack.
I understand and agree with your comment about the secure flag, but if I understood ivanr's comment it doesn't apply.
you don't need to manipulate the cookies being sent, only the body of the message. The browser will send the correct cookie in the header, you control the body, and use the length of the message to determine how close the cookie value in the body is getting to the one in the header.
For CRIME, I don't think that it's necessary to control the cookies. Having control of other parts of the request should be sufficient (e.g., using request headers, request body, etc).
As for manipulating cookies from the MITM perspective, here's one clunky way to do it: redirect the victim's browser to the plain-text version of the target web site, intercept that request, and set a new cookie (pretending to be the plain-text version of the target web site). The next request to the secure version of the target web site should contain the injected cookie. As tptacek mentioned in another comment, this approach would not work with a site that uses HTTP Strict Transport Security.
The attack as Pornin outlines it does not involve controlling the cookie header, but rather on being able to get content into the client's TX stream that happens to match the cookie header; think in terms of things like query args and post data.
I think all three comments in this little subthread might be saying the same thing. Go nerddom!
Would have been fun if they called this the CPE1704TKS attack
That one was not cracked one character at a time in series, portions in the middle were discovered sooner. But, yeah, would have been a more appropriate, cooler name.
Are there credible situations where you would be able to do (2) but not able to simply read the cookie from the DOM and send it to an attacker controlled website?
An attacker can build a hidden form that submits to a URL at the victim site, and submit it repeatedly using javascript. Alternatively an attacker could put the test content in the URL (we don't care if it 404s), which would work just as well and allow them to use a series of script-free pages full of images.
edit: tptacek is absolutely right; there isn't a way to defend against this in application code. All you can do is turn off TLS compression. This is NOT by any means the only approach, it's just the most obvious one.
Careful: you're outlining the attack well, but you wouldn't want to give someone the impression that defending against CSRF also defends against attacks like BEAST.
You can't read the cookie for the victim website from a malicious site. What you can do is send POST/GET requests to which the browser will attach the appropriate cookies.
As I understand it, only 2 and 3 are needed. The (secret) cookies are the part that is determined by the SSL compression exploit, by trying subsequent parts.
You're right that Hollywood "guess the password one character at a time" animation makes sense here. It also makes sense for timing based attacks. Ie, if checking "AB" against the password takes longer than "A", you know the second character is B...
Variable time until some threshold number of repeat failures occurs (e.g. 3). After this, manipulate the comparison time in such a manner that someone attempting to do this sort of attack would come up with a dummy password. If they come up with said dummy password, alert the user of an attempted attack.
You also need the client and server to both support TLS compression. But there aren't any major sites (that I know of) which do support TLS compression.
In my quick test, about 42% of the sites in the SSL Pulse data set (~180k SSL sites in Alexa's top 1m) support compression. For example, mail.yahoo.com does.
Stupid question: does TLS's compression use the _same_ compression state for both directions of the connection? That seems hard to me, because they could be sending information in parallel, and there's no provision for syncing streams.
So I suspect the attack there cannot work on TLS, and in fact the demo code posted in a comment attacks local zlib, not TLS.
I think the actual attack, if it's along these lines, involves getting the server to echo back your guess of the cookie, so that the cookie and your guess are both on the same stream. Perhaps with TRACE?
That Stripe CTF was deceptively excellent. If you (the reader of this comment) got through it and had fun, I promise, we'd be both interested to talk to you and an interesting company for you to talk to. www.matasano.com/careers.
Unless I'm missing something, I reckon there's a really obvious improvement on that, but Stack Exchange doesn't let new users leave comments. Think of the old puzzle where you've got 9 bags of gold coins which weight 10 grams each and one bag of shaved coins which weigh only 9 grams each and you need to figure out which bag has the shaved coins in only one weighing. You should be able do the same thing here - add one "Cookie: secret=A", two "Cookie: secret=B" and so on. Because of the limited look-back window in the compressor you'll need to interleave them like ABCD...BCD...CD... but it should give more information.
Edit: Wait, I am. That wouldn't work because it'd compress the repeated subsequences. D'oh.
Probably, yeah. Thinking about it, one obvious approach might be to try and overlap the last step of guessing one byte with the first step of guessing the next byte, for instance.
I suspect most TLS libraries will flush the compression buffer after each write call so its highly likely that every request will end on a deflate block boundary already.
Due to the nature of compression algorithms using BWT, changing a single byte in the uncompressed data might give you +/- 5 bytes difference in the size of the compressed data; that makes pulling off an attack like this much, much, much more difficult. Don't get me wrong, you'll get variance with deflate as well, but it's nowhere near the level of something like bzip2.
I do a lot of experimentation with new compression techniques for web demos, and I recently implemented my own compression algo from scratch based around the same building blocks as bzip2. The variance I saw was just staggering; a tiny change in my source material would totally warp the output.
I would love to see somebody proving or disproving whether BZip2 is susceptible to these type of attacks.
My assumption is that small changes in MTF transformation and tweaks in creating encoding table will make it impossible to crack using this method.
I think it's time for me to write a blog post entitled "on the provable security of spiped".
Seriously, we know how to build secure cryptographic protocols. Unfortunately, step #1 is "don't try to be backwards compatible with the horribly broken things people were doing in the 1990s".
FWIW, that advice made more sense pre-internet, when compression formats were tighter and encryption was weaker -- the idea was that an attacker might find the key but not recognize that he successfully decrypted the data.
These days, even when we don't include cryptographic fingerprints (e.g., with the hash-and-encrypt construction C = E(M || H(M)) ) there's enough structure in compression format headers to allow an attacker to recognize if he has the right key... and he isn't going to be running a brute-force attack anyway.
Strong agree. One of the big philosophical problems in cryptographic engineering seems to be that much of it was designed to address data-at-rest, but most of the practical problems are about data-in-motion, and those are two different problems.
It's not so much that the data itself is in motion, but that online secrecy/authentication necessarily implies widely-available encryption/verification oracles. Oracles with possible implementation vulnerabilities (/features) that can be abused to answer questions such as "What's the encrypted encoding of the secret++X" or "How long does it take to check if X is valid" ?
Data in motion creates opportunities for adaptive chosen plaintext attacks that aren't present in data-at-rest scenarios. An "oracle" is a basic characteristic of a cryptosystem, not a flaw, but the "oracle attacks" you're thinking of are instances of adaptive attacks.
But it's not the fact that the data is being transported that's leading to new attacks, it's that the parties are online and responding to arbitrary messages sent by the attacker. The data itself isn't creating problems - what's new is the ability for the attacker to ask interactive questions of the parties.
When authenticating messages, a receiver necessarily gains the ability to reject a message as invalid. Adaptive chosen plaintext attacks arise when this rejection ends up containing more information than a simple Y/N. From the perspective of an attacker, the verifier becomes an oracle capable of answering say "How many bytes are valid", leading to a sub-brute-force attack.
Can you point to an instance where you said anything like that, here or anywhere else, before last week?
It's easy for me to believe that you've internalized "minimize data-dependent branches in crypto code" and thus wouldn't have designed a compressed encrypted transport.
It is very hard for me to believe that you would have spotted this flaw immediately had anyone pointed out to you that TLS supported compression.
There is well-regarded (though not by me) crypto advice recommending that people compress before encrypting, to destroy structure in the plaintext.
"... both the SSH and TLS protocols support an option for on-the-fly compression. Potential security implications of using compression algorithms are of practical importance to people designing systems that might use both compression
and encryption."
It is very hard for me to believe that you would have spotted this flaw immediately had anyone pointed out to you that TLS supported compression.
I'm not claiming that I'd have noticed this particular attack. I'm saying that having compression in a supposedly secure transport layer was an obviously bad idea even before it was clear how it could be exploited. I don't need to get into a car accident to know that driving at night with my car's headlights turned off is a bad idea.
There is well-regarded (though not by me) crypto advice recommending that people compress before encrypting, to destroy structure in the plaintext.
There's a huge difference between compressing data and compressing an authentication channel. This is why compression should not be included in the secure channel -- it should be left up to the higher-level code to decide if compression is (a) completely pointless or (b) will leak information dangerously.
These are things that are obvious in hindsight. They may have been obvious to you before; or, as I'm claiming, they may just fit snugly into your (probably correct) philosophy about secure channel design.
But compression in TLS is not a relic of the 1990s; it's something that looks to have gained its earliest adoption in SSL/TLS at about the same time as Elliptic Curve.
My issue here isn't that you're wrong; it's that I think this is an extremely clever attack that says something profound about designing cryptosystems, and I wouldn't want to see Thai's and Juliano's (or Pornin's, if he's "wrong" about the prediction) work minimized by a glib comment about TLS.
compression [...] looks to have gained its earliest adoption in SSL/TLS at about the same time as Elliptic Curve
I guess by that point they had thrown in everything but the kitchen sink, and decided they might as well throw in the kitchen sink too.
I wouldn't want to see Thai's and Juliano's (or Pornin's, if he's "wrong" about the prediction) work minimized by a glib comment about TLS.
Oh, of course. I'm just irritated (as usual) by the fact that people continue to use SSL/TLS "because it's the standard" despite the fact that it's a phenomenally broken standard. There's places where you can't avoid it (HTTPS), but where it can be avoided...
That protocols without security proofs can survive in the real world, and protocols with security proofs still fall to implementation bugs, and that if you were going to bet on incidence of protocol design flaws vs. implementation flaws, the safe bet is on implementation flaws.
The level of civility in this thread is great, but I would pay money to see a DEF CON panel debate between you two where you each had to take a shot every 8 minutes. We could get Mikko Hypponen to moderate and pour shots!
If you've got a provably secure protocol, what's the problem with formally verifying the implementation of the protocol?
I work in an area where bugs are very scary, so we use formal verification, and that's on top of having many more testers than developers.
From the perspective of this naive outsider, I'd would have expected FV to be worth it for security sensitive protocols. Is it that the protocols are too complex to be verified, or is it just not considered to be worth the effort?
I'm not making an argument against formal methods. I'm saying that if you replaced TLS with a protocol with a design proof, you could easily end up less secure.
Vulnerabilities don't arise by study, they arise because of vulnerabilities. We have plenty of well-studied crypto that is fine, ranging from SHA to Kerberos.
Colin is right that we know how to prove that cryptographic systems have certain security properties. The academic literature is filled with laments about TLS and proofs of fixed versions of it.
SHA? The Secure Hash Algorithm? The Secure Hash Algorithm with the length extension property? The Secure Hash Algorithm with the length extension property that was specifically forbidden from the SHA-3 contestants because it creates implementation vulnerabilities in the real world? That SHA?
Also, how does one compare a cryptographic hash function core to an entire cryptographic protocol to produce a statement about the fallibility of crypto design?
You'd have the same problem if HTTP supported compression of the request headers & body. It's because it only supports compression of the response body that there isn't any leakage already.
This is true, but it reinforces why the compression should not be done at the secure transport layer, and should instead be left to higher levels: only HTTP knows which parts of the request are potentially unsafe to include in the same compression state.
(Even if HTTP probably just got lucky here rather than deliberately making the right choice, it's still the only layer that had the chance to make the right choice).
Compression itself in a cryptographic protocol is not the issue here. The problem starts when you let an attacker add chosen plain-text before or after the secret in the same compressed and encrypted stream.
Compression before encryption is not a problem if the sender is the only person that decides what is in the message to be sent. Compression doesn't make it vulnerable to chosen plain-text attacks either. Mixing victims's and attacker's data before compression and encryption will leak data, yes.
In theory, protocols which fall to attacks when attackers have control of some of the message are said to be vulnerable to "chosen plaintext attacks" (if the attacker only gets 1 shot per message) or "adaptive chosen plaintext attacks" (if the attacker gets many bites at the same apple). Sound protocols don't have feasible adaptive chosen plaintext attacks.
In practice, most protocols can be coerced into carrying some data controlled by attackers. Sneaking some attacker-controlled data into a message is a very low bar for an attacker to clear.
It's true that content-controlled Javascript code makes it distinctively easy for an attacker to spirit their data into the plaintext, but don't let that confuse you. For the HTTPS/TLS cryptosystem to be sound, attackers can't use this property to decrypt the content they didn't add to the message.
The excuses I've heard for it include 1) can't do compression after the crypto, and 2) it reduces ciphertext available to attackers. SSH and PGP do it too.
What it does is eliminate the structure of the plaintext. Lots of practical crypto implementation attacks depend on plaintext structure, especially in their most naive and straightforward implementations.
A conceptual purist like Colin Percival would argue, correctly, that if there's an attack against a cryptosystem that benefits from knowing the distribution of bytes in the plaintext, that's a damning statement about the cryptosystem itself.
What's the issue with that ? Isn't it possible to design a compression algorithm that is efficient and less predictable at the same time ? Or is it more of a general concept that I don't know of ?
You think you have a handle on how hard it is to get crypto right. Then you get a result like this. As an expert (not me; I'm not smart enough to say this) would put it: "if attacker data is mixed with defender data, none of the branches in the cryptosystem code can depend on the content".
I think crypto is possibly the best example in all of software development and/or computer science of how dangerous "unknown unknowns" are, and how a little knowledge is a dangerous thing (although threads are a serious competitor for the latter trophy).
I've studied cryptography theory, and I've implemented various ciphers and attacks, and the more I learn the more certain I become that I would never, ever use any of my own crypto code in production.
Reading the title, I thought that Chrome was turning of gzip based compression for HTTP bodies when using SSL. According to http://security.stackexchange.com/a/19914 (linked above by jgrahamc), it is in fact header compression that is TLS specific. So a giant sigh of relief from me.
Thanks for noting this. I also got this wrong on the first reading. Having to drop gzip compression of the content would be terrible. I fathom that header compression helps if you have many requests (polling etc), but for most websites it is much less influential in bandwidth usage.
Data compression is often used in data storage or transmission. Suppose you want to
use data compression in conjunction with encryption. Does it make more sense to
A. Compress the data and then encrypt the result, or
Well, B makes no sense. A makes sense, but might have leaks, that depending on use case (and in particular, whether the attacker can execute chosen plaintext attacks like in SSL) may or may not weaken the system, but it still makes sense.
For a confusing example of a fairly leaky cryptosystem involving compression that works well in practice and has a proof of security that is aware of the leak, see Douceur et al.'s "convergent encryption".
Colour me stupid, but is there something to prevent inserting indeterminate padding while sending headers? e.g. imagine a request like
GET / HTTP/1.0
X-Pad: GET / HTTP/aaaaaaa
Where X-Pad randomly repeats previous bytes, and perhaps 0..8 bytes of random/repeating variable-length data. By randomizing the effectiveness of the compression, surely this attack can be generally prevented by the browser?
You could argue that given enough samples the noise could be filtered and the attack still remains, but the same could be said the same for many successful patches over the years (TCP sequence number randomization, Kaminsky's DNS issue, etc.), and the number of samples required would be pretty infeasible.
I'm fairly certain this could be defeated with a little differential cryptanalysis. Similar approaches to defeating side-channel attacks on smart card power usage have been tried and defeated :/
If it's random, you can just get enough samples and remove the noise. It'd have to be padding to a given number of bytes, but that probably has a vulnerability too.
No, I doubt that something closed in early 2010 has much to do with a new patch that has a rationale disabled from public viewing which implies it's a security emergency.
While this is probably security related, disabling compression is actually a good practice for clients which make a large number of SSL requests (like a browser). OpenSSL allocates alot of memory per connection for compression/decompression. See http://journal.paul.querna.org/articles/2011/04/05/openssl-m... for a great discussion of why SSL_OP_NO_COMPRESSION might make sense for you.
Even if you don't have direct access to the library code creating SSL objects, there are still some tricks with ctypes, ffi, dlopen that have the same effect.
I think it does, although not precisely as described in the SO post above: in SPDY the request headers are compressed separately before any TLS compression would apply, so the attacker would have to put her guess of the cookie in the request headers or the URL (as the URL is sent as a pseudo-header in SPDY).
It would be interesting to know if there were any changes in the SPDY implementation. It too supports compression before encryption and may be affected by the same problem.
Hidden <iframe> elements would probably work just as well.
It might even work with JacaScript turned. Have a page with nested iframes. Serve each one from a different IP address and have the server not answer right away. The server answers with the first iframe having a chosen URL while Eve snoops the wire. Eve tells the server which URL to use for the next iframe body that it sends. Repeat until the cookie is deduced. The server can use a nested tree of iframes to avoid having a bazillion iframes in the top level document.
Javascript just makes the attack faster, but it can be accomplished with raw html. Cookies are required though; it's what you are after when using this attack.
Pretty much, yes. With the proviso that if you didn't have HTTP Content-Type compression for your content before, then it might still have been compressed at the TLS layer, and won't be now.
Compression: Specifies whether compression is allowed, or delayed until the user has authenticated successfully. The argument must be "yes", "delayed", or "no". The default is "delayed".
I don't know why they chose "delayed" as default, but this seems to prevent this attack.
The SSH protocol is nothing like TLS. The SSH security model is nothing like the TLS security model. Pornin's guess about Thai and Juliano's attack does not break the TLS authentication model; it breaks the confidentiality guarantees TLS makes to the application layer. If you authenticated TLS with certificates the way SSH authenticates with keys, you wouldn't worry about the compression attack.
See: http://security.stackexchange.com/a/19914