BEAST vs. CRIME Attack

Some months ago there was a top story popping up in almost all the security news feeds about CRIME attacks being able to break SSL. In this article, I would like to pin down what CRIME attacks and BEAST attacks are and how to protect against these attacks to create a safe atmosphere.
First we will look at the BEAST attack and later we will explain its successor, the CRIME attack.

BEAST Attack

The BEAST (browser exploit against SSL/TLS) was developed by researchers Thai Duong and Juliano Rizzo and can be carried out on TLS v1.0.TLS v 1.2 is not vulnerable to a BEAST attack. The CVE for a BEAST attack is CVE-2011-3389.
Whenever you log in to any https page, after your authentication you can see your authenticated page and, if you look carefully at the URL, you can see the session ID. A session ID is a random number or combination of numbers and string that maintains the state of the page; it is assigned by the website server to the client browser. The Session ID can be found either in the cookie or in the URL of the web browser .Usually, all the session IDs will be encrypted to prevent hijacking of the session.
I can break down this BEAST attack into three steps for simplicity.

==> Read More