Last week researchers unveiled a new exploit that allows the hijacking of HTTPS connections, the type of connections the world relies on for secure data transfer over the Internet.
Dubbed CRIME (Compression Ratio Info-leak Made Easy), the hack exploits vulnerabilities in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols when a website uses either Deflate or SPDY, two compression techniques used to reduce server load when using HTTPS. This means not all HTTPS connections can be broken but connections made with websites that utilize Deflate or SPDY are vulnerable… websites like Gmail, Twitter, and Dropbox. It also means that not all browsers are equal; browsers need to specifically support Deflate or SPDY for the techniques to be used because without browser support, an HTTPS connection to a website cannot use Deflate or SPDY. If your browser doesn’t support Deflate and SPDY, there isn’t too much to worry about.
So, then, the question is which browsers support Deflate and SPDY? The answer actually is not many desktop browsers. Both Chrome and Firefox used to be susceptible to the CRIME exploit but both Google and Mozilla quickly issued patches prior to CRIME going public due to the researchers notifying them in private ahead of time. (Yes, that means you should upgrade Firefox to the latest version.) Microsoft says Internet Explorer was never vulnerable to CRIME because it never supported Deflate or SPDY; Opera does not support SPDY, and Deflate support has so far only been in Beta versions of Opera (it is unknown if Opera has patched those Beta versions); and the compression used by Safari is unknown but we do know it doesn’t support SPDY. However, as ArsTechnica points out, many less-supported or less-known browsers may still continue to support CRIME-exploitable SPDY and Deflate, and many smartphone and tablet browsers are still vulnerable, such as the stock Android browser. It is unknown if Firefox and Chrome for Android and iOS have been patched against CRIME like their desktop versions. It also isn’t entirely clear if the stock iPhone/iPad browser supports SPDY or Deflate but some commentators have mentioned the stock iOS browser does indeed support Deflate.
For their part, many websites have disabled Deflate and SPDY support since this vulnerability went public. Gmail, Twitter, Dropbox and many others have either stopped using the compression techniques or patched them so they are no longer vulnerable. So even if your browser has not been patched against CRIME, if the website you are connecting to via HTTPS no longer supports Deflate or SPDY or has been fixed to plug the vulnerability, then you are fine. In fact, disabling Deflate and SPDY at the website-level is a better defense against CRIME than patching browsers, according to some researchers.
Scary stuff. If HTTPS cannot be trusted then I may as well stop using the Internet. Bye, bye dotTech, it was nice knowing you.