Researchers have identified a security weakness that allows hijacking of web browser sessions even when they’re protected by the HTTPS encryption that banks and e-commerce sites use to prevent snooping on sensitive transactions.
The exploit, dubbed as CRIME or Compression Ratio Info-leak Made Easy, uses an encrypted data stream’s own data-compression methods against itself.
Compression is essentially a form of a pattern matching — it works by algorithmically finding patterns in information and boiling those patterns down to a smaller but seemingly more random data set. By injecting plain-text transmissions alongside the encrypted ones, clever cryptographers were able to monitor and analyze changes created by compression techniques (i.e. deflate and SPDY), eventually unraveling the cipher.
In order for the exploit to work, a user’s Internet browser must establish a secure connection via TLS compression (deflate) or SPDY (a protocol developed by Google). Most modern browsers support at least one of these technologies but Internet Explorer users will be glad to hear they are safe — Microsoft’s browser has never supported either. Somewhat ironically, this is an example of less being more.
Recent releases of Firefox and Chrome have been patched, but it is unknown if Opera, Safari or other browsers are still susceptible.
In particular, mobile browsers are a key concern — researchers believe it is very likely smartphone browsers remain vulnerable.