diff options
Diffstat (limited to 'doc/security/crime_vulnerability.md')
-rw-r--r-- | doc/security/crime_vulnerability.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index e5d8d858df2..39cd8f8e074 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -27,7 +27,7 @@ files are here: - [Omnibus installation NGINX file](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb) Although SPDY is enabled in Omnibus installations, CRIME relies on compression -(the 'C') and the default compression level in NGINX's SPDY module is 0 +(the 'C') and the default compression level in the NGINX SPDY module is 0 (no compression). ## Nessus @@ -50,7 +50,7 @@ The following configuration indicates that the remote service may be vulnerable SPDY support earlier than version 4 is advertised. ``` -From the report above it is important to note that Nessus is only checking if +The report above indicates that Nessus is only checking if TLS advertises the SPDY protocol earlier than version 4. It does not perform an attack nor does it check if compression is enabled. The Nessus scanner alone cannot tell that SPDY compression is disabled and not subject to the CRIME |