Red Hat Bugzilla – Bug 857737
CVE-2012-4930 SPDY: SSL/TLS CRIME attack
Last modified: 2012-09-24 12:25:24 EDT
CVE-2012-4930 was assigned to the following issue:
The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown
string in an HTTP header, aka a "CRIME" attack.
Reporters of the CRIME attack have published two variants of the attack:
- SSL/TLS connection with zlib compression - that issue got CVE-2012-4929 and is tracked via bug 857051
- SPDY protocol with header compression used over SSL/TLS connection without zlib compression, tracked via this bug
Bug 857051 already contains additional information and links regarding the CRIME attack. It also notes (in bug 857051, comment 4) that Mozilla Firefox versions shipped with Red Hat Enterprise Linux 5 and 6 do not support SPDY protocol, and are therefore unaffected by the SPDY attack vector.
Not vulnerable. This issue did not affect the versions of Firefox as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include SPDY protocol support.
*** Bug 859827 has been marked as a duplicate of this bug. ***
Adam Langley's (Google developer working on Chrome) blog post explaining some details of the attack, change that was applied to block SPDY attack variant (SPDY compression was disabled in Firefox 15 and Chrome 21), and some changes planned for future SPDY versions that would allow re-enabling header compression without re-introducing this problem.