CVE-2012-4930

Name of the Vulnerable Software and Affected Versions SPDY protocol versions 3 and earlier

Description The issue allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, also known as a "CRIME" attack. This is due to the SPDY protocol performing TLS encryption of compressed data without properly obfuscating the length of the unencrypted data.

Recommendations For SPDY protocol versions 3 and earlier, consider disabling the use of TLS encryption with compressed data until a proper fix is implemented to obfuscate the length of the unencrypted data.