TLS compression in PGP Encryption Server vulnerable to CRIME attack (Symantec Encryption Management Server)

search cancel

TLS compression in PGP Encryption Server vulnerable to CRIME attack (Symantec Encryption Management Server)

book

Article ID: 157264

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Encryption Suite PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack (CVE-2012-4929).

Resolution

This issue has been resolved in Symantec Encryption Management Server 3.3.1 and above.

Feedback

thumb_up Yes

thumb_down No