Immediate update of Firefox & Chrome engines needed!

[mbrazil]

http://tinyurl.com/8kn2wuz

Last week researchers unveiled a new exploit that allows the hijacking of HTTPS connections, the type of connections the world relies on for secure data transfer over the Internet.

Dubbed CRIME (Compression Ratio Info-leak Made Easy), the hack exploits vulnerabilities in Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols when a website uses either Deflate or SPDY, two compression techniques used to reduce server load when using HTTPS. This means not all HTTPS connections can be broken, but connections made with websites that utilize Deflate or SPDY are vulnerable... websites like Gmail, Twitter, and Dropbox. It also means that not all browsers are equal; browsers need to specifically support Deflate or SPDY for the techniques to be used because without browser support, an HTTPS connection to a website cannot use Deflate or SPDY.

Chrome and Firefox used to be susceptible to the CRIME exploit, but both Google and Mozilla quickly issued patches prior to CRIME going public, as the researchers notified them ahead of time. That means you should upgrade Firefox to the latest version. Internet Explorer was never vulnerable to CRIME because it never supported Deflate or SPDY.

[xiaobing]

Anderson is making a downloader that can be used in other browsers.
We are testing it.A beta version will come soon.

[mbrazil]

Anderson is making a downloader that can be used in other browsers.
We are testing it.A beta version will come soon.

I don't see how this relates to the need for the latest versions of the Firefox and Chrome engines to protect against the exploit described.

[Jasmine]

Hi Mike,
Have both chrome and firefox declared that their upgrades relate to this vulnerability? This article seems to lag behind the release of firefox 15.0.1 a dozen of days.

[mbrazil]

Hi Mike,
Have both chrome and firefox declared that their upgrades relate to this vulnerability? This article seems to lag behind the release of firefox 15.0.1 a dozen of days.

There doesn't appear to be any information on either Mozilla.org or Google.com regarding the exploit or updates to mitigate it. None of the reporting I've found mentions which versions of the engines contain changes that prevent the exploit.

From Wikipedia:

As of September 2012, the CRIME exploit has been mitigated by the latest versions of the Chrome and Firefox web browsers, and Microsoft has confirmed that their Internet Explorer browser was not vulnerable to the exploit.[1] Some websites have applied countermeasures at their end.[6]

http://tinyurl.com/9x2dehe

From The Register:

The researchers worked with Mozilla and Google to ensure that both Firefox and Chrome are protected.

http://tinyurl.com/9pfhauf

[bksening]

Both Chrome and Firefox, which use SPDY compression, where notified beforehand and fixed the security problem before the details of the CRIME exploit were publicly presented.

This is already fixed in current versions of Chrome 21 and Firefox 15. Just need to update to these versions of the engines.

For details, see Adam Langley's blog (Google security researcher and developer):
http://www.imperialviolet.org/2012/09/21/crime.html

[mbrazil]

Both Chrome and Firefox, which use SPDY compression, where notified beforehand and fixed the security problem before the details of the CRIME exploit were publicly presented.

This is already fixed in current versions of Chrome 21 and Firefox 15. Just need to update to these versions of the engines.

For details, see Adam Langley's blog (Google security researcher and developer):
http://www.imperialviolet.org/2012/09/21/crime.html

The problem is, users of Avant cannot update to newer versions of the engines. These updates have to be provided in an update to Avant.

[Jasmine]

The upgrade is coming soon.

[mbrazil]

The upgrade is coming soon.

Thanks, Jasmine.