LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost)

CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost)

Posted Sep 14, 2012 9:35 UTC (Fri) by paulj (subscriber, #341)
In reply to: CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost) by butlerm
Parent article: CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost)

You have to have unfiltered BGP access, which any sane transit provider will only provide to other major transit providers

........ Sorry, I need a few more seconds to compose myself, stop rolling on the floor laughing, and get back on my chair before I can reply. ;)

Two problems:

1. You're assuming that the internet has clear borders between "anyone with a BGP router" and "major transit providers". You're assuming it is difficult for anyone in the out-set to persuade anyone in the in-set to let them in. Bear in mind some parts of the "transit provider" set can be large clusters of quite small players (sometimes literally 1-man operations). Bear in mind the internet has been growing at a good pace, and is likely to continue to grow for some time, and that many in the "transit provider" set have a business model that depends on that growth happening.

2. Ignoring point 1, taking it as given a clear delineation criteria between the transit ASes and the edges (clear from the POV of the transit providers), and a transit provider set which are *all* strongly motivated to exclude any new entrants: You're assuming that a large percentage of transit providers are both, a) technically competent at specifying filters b) have a clear financial motivation to spend their resources on implementing operational processes to ensure new non-transit customers will consistently have filters applied. Even if the vast majority of transit providers meet assumption a (and it's not clear that's the case ☺), assumption b doesn't hold for most (at least, it's not immediately obvious to them). So, there isn't really a great pressure on them to reliably implement these filters, and so often they don't (because they generally don't, or because their processes aren't rigorous enough to ensure they reliably do).

(Log in to post comments)

CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost)

Posted Sep 14, 2012 10:00 UTC (Fri) by paulj (subscriber, #341) [Link]

Edit: s/*all* strongly motivated to exclude any new entrants/*none* have a financial motivation to include new entrants/

(if they have a motivation to exclude then 2b clearly becomes true, oops ;) ).

Editing posts..

Posted Sep 14, 2012 10:17 UTC (Fri) by geertj (subscriber, #4116) [Link]

A request to our grumpy editor: will we see editing of comments for spelling/other mistakes in the site at some point? It's pretty annoying to see these correction posts (and i've had to do those myself as well in the past).

Editing posts..

Posted Sep 14, 2012 10:52 UTC (Fri) by hummassa (subscriber, #307) [Link]

Facebook solved the "historical revisionism" problem with editing in a really nice way: if you edit a post, the old version is just invisible, and it's still accessible via a "edited/show edition history" button/link.

CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost)

Posted Sep 16, 2012 8:34 UTC (Sun) by butlerm (subscriber, #13312) [Link]

>So, there isn't really a great pressure on them to reliably implement these filters, and so often they don't (because they generally don't, or because their processes aren't rigorous enough to ensure they reliably do).

The original poster claimed that "anyone with a BGP router" could do this, which is clearly not the case. One would hope that the various attempts to secure BGP route advertisements would have born some fruit by now, but apparently that isn't the case either.

CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost)

Posted Sep 16, 2012 18:16 UTC (Sun) by paulj (subscriber, #341) [Link]

Well, I was replying to the person who was claiming the other extreme, that such announcements required a kind of BGP connection that was very hard to obtain. Which is not the case. I did not argue that "anyone with a BGP router" could do it, however there are no real obstacles, other than needing a relatively small amount of money and perhaps a little time, to acquiring the capability.

Work to secure the BGP protocol is still quite a way away from being finished, never mind deployed.

CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions (threatpost)

Posted Sep 18, 2012 17:34 UTC (Tue) by paulj (subscriber, #341) [Link]

Oh, another factor to consider is that you don't actually need to own a BGP router, in the legal sense. You just need control of it. Major router vendor control plane software is not immune to being 0wned...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds