Computer hack allows HTTPS session hijacking

[MplsBob]

The ARS Technica site has an article about a successful hacking of the Hypertext Transfer Protocol Secure (HTTPS).

HTTPS protects us when we want secure Internet communication during online banking, when we use our credit card, etc.

The hack has been named CRIME. CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack.

Question: Are there any steps we can take to reduce our vulnerability to this?

 

[Chiefcrowe]

Not sure really, probably not much besides perhaps using opera for secure sites. I'm pretty sure everyone is working on a fix that will be out asap.

 

[cl-scott]

Is there maybe a typo in there? You state IE, Chrome, and Firefox are thought to be immune, then want to know what can be done to mitigate the risk. So if you're an Opera or Safari user, you'd just switch to one of the supposed immune browsers.

 

[Chiefcrowe]

Yes, i think it was a typo. I read that all of those browsers are susceptible to this attack so I guess opera is not.

 

[JackMDS]

Quote from - http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

"CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable".

End of Quote.

As you see, the main problem is Smart phone apps.

IMHO anyone who do Banking and other type of must be secure connection from his/her Smart Phone has to use to same phone to call ASAP a Psychiatrist and get a Mental Exam.

If one does not get it, there is a reason why Gov. and other agencies are using special Blackberries and Not your Telco. regular edition phones.

 

[Nothinman]

Quote from - http://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/

"CRIME works only when both the browser and server support TLS compression or SPDY, an open networking protocol used by both Google and Twitter. Microsoft's Internet Explorer, Google's Chrome and Mozilla's Firefox browsers are all believed to be immune to the attack, but at time of writing smartphone browsers and a myriad of other applications that rely on TLS are believed to remain vulnerable".

End of Quote.

As you see, the main problem is Smart phone apps.

IMHO anyone who do Banking and other type of must be secure connection from his/her Smart Phone has to use to same phone to call ASAP a Psychiatrist and get a Mental Exam.

If one does not get it, there is a reason why Gov. and other agencies are using special Blackberries and Not your Telco. regular edition phones.

You omitted an important part:

Both Chrome and Firefox were susceptible until recently. Google and Mozilla released patches after the weaknesses were privately reported by Juliano Rizzo (@julianor) and Thai Duong, the researchers who devised the CRIME exploits. Internet Explorer was never vulnerable because it never supported SPDY (pronounced "speedy") or the TLS compression scheme known as Deflate.

As you can see, from a security perspective there is no real differentiation between mobile apps and desktop apps. Doing banking and other secure transactions on your phone is just as secure as doing them on a PC.

Blackberries are more secure because they're less functional, just like IE in this case.

 

[Chiefcrowe]

Yes, this article also says that firefox and chrome have fixed this.

https://www.pcworld.com/article/262...ression_feature_to_hijack_https_sessions.html

 

[JackMDS]

I am aware of it, security patches is part of our life.

However, what matter is the end result, the Desktop/Laptop Browsers can be patched the Mobile stay risky.

Functional or Not, it is secondary to the risk taken while using Mobiles for Banking and CC activities.

 

[Nothinman]

I am aware of it, security patches is part of our life.

However, what matter is the end result, the Desktop/Laptop Browsers can be patched the Mobile stay risky.

Functional or Not, it is secondary to the risk taken while using Mobiles for Banking and CC activities.

No, the mobile apps can be patched just as easily as well. I get updates for my mobile apps every day. A mobile computer is still a computer, the distinction you're drawing is unwarranted. Internet banking is equally risky regardless of the platform. Actually, in theory it's less risky because mobile environments are more controlled and thus have less under-vetted code in them.