diff options
Diffstat (limited to 'doc/security/crime_vulnerability.md')
-rw-r--r-- | doc/security/crime_vulnerability.md | 36 |
1 files changed, 26 insertions, 10 deletions
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index d61a205d954..9665cc0337f 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -1,3 +1,7 @@ +--- +type: reference +--- + # How we manage the TLS protocol CRIME vulnerability > CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against @@ -7,15 +11,15 @@ authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. ([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806)) -### Description +## Description -The TLS Protocol CRIME Vulnerability affects compression over HTTPS, therefore -it warns against using SSL Compression (for example gzip) or SPDY which -optionally uses compression as well. +The TLS Protocol CRIME Vulnerability affects systems that use data compression +over HTTPS. Your system might be vulnerable to the CRIME vulnerability if you use +SSL Compression (for example, gzip) or SPDY (which optionally uses compression). GitLab supports both gzip and [SPDY][ngx-spdy] and mitigates the CRIME -vulnerability by deactivating gzip when HTTPS is enabled. You can see the -sources of the files in question: +vulnerability by deactivating gzip when HTTPS is enabled. The sources of the +files are here: - [Source installation NGINX file][source-nginx] - [Omnibus installation NGINX file][omnibus-nginx] @@ -24,7 +28,7 @@ Although SPDY is enabled in Omnibus installations, CRIME relies on compression (the 'C') and the default compression level in NGINX's SPDY module is 0 (no compression). -### Nessus +## Nessus The Nessus scanner, [reports a possible CRIME vulnerability][nessus] in GitLab similar to the following format: @@ -45,12 +49,12 @@ SPDY support earlier than version 4 is advertised. ``` From the report above it is important to note that Nessus is only checking if -TLS advertises the SPDY protocol earlier than version 4, it does not perform an -attack nor does it check if compression is enabled. With just this approach, it +TLS advertises the SPDY protocol earlier than version 4. It does not perform an +attack nor does it check if compression is enabled. The Nessus scanner alone cannot tell that SPDY's compression is disabled and not subject to the CRIME vulnerability. -### References +## References - Nginx ["Module ngx_http_spdy_module"][ngx-spdy] - Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"][nessus] @@ -61,3 +65,15 @@ vulnerability. [ngx-spdy]: http://nginx.org/en/docs/http/ngx_http_spdy_module.html [nessus]: https://www.tenable.com/plugins/index.php?view=single&id=62565 [wiki-crime]: https://en.wikipedia.org/wiki/CRIME + +<!-- ## Troubleshooting + +Include any troubleshooting steps that you can foresee. If you know beforehand what issues +one might have when setting this up, or when something is changed, or on upgrading, it's +important to describe those, too. Think of things that may go wrong and include them here. +This is important to minimize requests for support, and to avoid doc comments with +questions that you know someone might ask. + +Each scenario can be a third-level heading, e.g. `### Getting error message X`. +If you have none to add when creating a doc, leave this section in place +but commented out to help encourage others to add to it in the future. --> |