diff options
Diffstat (limited to 'doc/security/crime_vulnerability.md')
| -rw-r--r-- | doc/security/crime_vulnerability.md | 24 |
1 files changed, 9 insertions, 15 deletions
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index 93edbc69eb0..2496029d93e 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -14,14 +14,14 @@ authenticated web session, allowing the launching of further attacks. The TLS Protocol CRIME Vulnerability affects systems that use data compression over HTTPS. Your system might be vulnerable to the CRIME vulnerability if you use -SSL Compression (for example, gzip) or SPDY (which optionally uses compression). +SSL Compression (for example, Gzip) or SPDY (which optionally uses compression). -GitLab supports both gzip and [SPDY][ngx-spdy] and mitigates the CRIME -vulnerability by deactivating gzip when HTTPS is enabled. The sources of the +GitLab supports both Gzip and [SPDY](http://nginx.org/en/docs/http/ngx_http_spdy_module.html) and mitigates the CRIME +vulnerability by deactivating Gzip when HTTPS is enabled. The sources of the files are here: -- [Source installation NGINX file][source-nginx] -- [Omnibus installation NGINX file][omnibus-nginx] +- [Source installation NGINX file](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/support/nginx/gitlab-ssl) +- [Omnibus installation NGINX file](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb) Although SPDY is enabled in Omnibus installations, CRIME relies on compression (the 'C') and the default compression level in NGINX's SPDY module is 0 @@ -29,7 +29,7 @@ Although SPDY is enabled in Omnibus installations, CRIME relies on compression ## Nessus -The Nessus scanner, [reports a possible CRIME vulnerability][nessus] in GitLab +The Nessus scanner, [reports a possible CRIME vulnerability](https://www.tenable.com/plugins/index.php?view=single&id=62565) in GitLab similar to the following format: ```plaintext @@ -55,15 +55,9 @@ vulnerability. ## References -- NGINX ["Module ngx_http_spdy_module"][ngx-spdy] -- Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"][nessus] -- Wikipedia contributors, ["CRIME"][wiki-crime] Wikipedia, The Free Encyclopedia - -[source-nginx]: https://gitlab.com/gitlab-org/gitlab/blob/master/lib/support/nginx/gitlab-ssl -[omnibus-nginx]: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb -[ngx-spdy]: http://nginx.org/en/docs/http/ngx_http_spdy_module.html -[nessus]: https://www.tenable.com/plugins/index.php?view=single&id=62565 -[wiki-crime]: https://en.wikipedia.org/wiki/CRIME +- NGINX ["Module ngx_http_spdy_module"](http://nginx.org/en/docs/http/ngx_http_spdy_module.html) +- Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"](https://www.tenable.com/plugins/index.php?view=single&id=62565) +- Wikipedia contributors, ["CRIME"](https://en.wikipedia.org/wiki/CRIME) Wikipedia, The Free Encyclopedia <!-- ## Troubleshooting |