I was just reading about CRIME which is an attack to steal sensitive information

Question

I was just reading about CRIME which is an attack to steal sensitive information by creating requests. Could this attack be mitigated, if the Server wouldn't send the client the actual session key to save in a cookie, but a random generated string, which maps to the session key? On each request (or every 100 requests) this random string is generated anew, so the client will have an ever-changing secret in his cookie.

This would make any attacks which require many requests which contain the same secret very difficult and would also provide the benefit that each of the random strings is only valid for a very short time...

Are there any obvious downsides to this approach? Or anything which wouldn't actually make it safer than today methods ?

Explanation / Answer

In the case of CRIME, the attack is on the client. Hostile Javascript in the client triggers requests to the server, that the attacker observes from the outside; and (that's the important point here) the attacker can block the outgoing request. The attacker needs to see the encrypted records, but not necessarily to let them go all the way to the server.

Thus, during all the attack, the server never sees any request with the cookie in it. Even if the server changed the cookie for every request (a "one-time-cookie"), the attack would still work.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.