Date: Thu, 25 Oct 2012 09:22:13 -0400 From: Wesley Shields <wxs@FreeBSD.org> To: freebsd-security@FreeBSD.org Cc: freebsd-ports@FreeBSD.org Subject: [HEADS UP]: CVE-2012-4929 (CRIME) Message-ID: <20121025132213.GA74946@atarininja.org>
next in thread | raw e-mail | index | archive | help
I think there is nothing FreeBSD can do about this besides making sure our users are aware of it. The situation in which this is a problem is specific but one you should consider if you are using TLS with compression. TLS 1.2 and earlier are vulnerable to an attack commonly known as CRIME. The attack involves TLS sessions using compression where an attacker is able to inject known plaintext into the stream. Through a series of guesses and measuring the length of the encrypted text an attacker is able to determine the plaintext. The recommended workaround for now is to disable compression on servers where this may have an impact. As this is a flaw in a protocol and no one specific implementation please consult the documentation for any affected services to determine how to turn off TLS compression. More information is available at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929 -- WXS
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20121025132213.GA74946>