Commit e081edc1 authored by Achilleas Pipinellis's avatar Achilleas Pipinellis

Clean up CRIME security doc [ci skip]

parent 05f8c585
# How we manage the TLS protocol CRIME vulnerability # How we manage the TLS protocol CRIME vulnerability
> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against > CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against
secret web cookies over connections using the HTTPS and SPDY protocols that also secret web cookies over connections using the HTTPS and SPDY protocols that also
use data compression.[1][2] When used to recover the content of secret use data compression. When used to recover the content of secret
authentication cookies, it allows an attacker to perform session hijacking on an authentication cookies, it allows an attacker to perform session hijacking on an
authenticated web session, allowing the launching of further attacks. authenticated web session, allowing the launching of further attacks.
([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806)) ([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806))
### Description ### Description
The TLS Protocol CRIME Vulnerability affects compression over HTTPS therefore The TLS Protocol CRIME Vulnerability affects compression over HTTPS, therefore
it warns against using SSL Compression, take gzip for example, or SPDY which it warns against using SSL Compression (for example gzip) or SPDY which
optionally uses compression as well. optionally uses compression as well.
GitLab support both gzip and SPDY and manages the CRIME vulnerability by GitLab supports both gzip and [SPDY][ngx-spdy] and mitigates the CRIME
deactivating gzip when https is enabled and not activating the compression vulnerability by deactivating gzip when HTTPS is enabled. You can see the
feature on SDPY. sources of the files in question:
Take a look at our configuration file for NGINX if you'd like to explore how the * [Source installation NGINX file][source-nginx]
conditions are setup for gzip deactivation on this link: * [Omnibus installation NGINX file][omnibus-nginx]
[GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb).
For SPDY you can also watch how its implmented on NGINX at [GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb)
but take into consideration the NGINX documentation on its default state here:
[Module ngx_http_spdy_module](http://nginx.org/en/docs/http/ngx_http_spdy_module.html).
Although SPDY is enabled in Omnibus installations, CRIME relies on compression
(the 'C') and the default compression level in NGINX's SPDY module is 0
(no compression).
### Nessus ### Nessus
The Nessus scanner reports a possible CRIME vunerability for GitLab similar to the The Nessus scanner, [reports a possible CRIME vulnerability][nessus] in GitLab
following format: similar to the following format:
Description
This remote service has one of two configurations that are known to be required for the CRIME attack: ```
SSL/TLS compression is enabled. Description
TLS advertises the SPDY protocol earlier than version 4.
... This remote service has one of two configurations that are known to be required for the CRIME attack:
SSL/TLS compression is enabled.
TLS advertises the SPDY protocol earlier than version 4.
Output ...
The following configuration indicates that the remote service may be vulnerable to the CRIME attack: Output
SPDY support earlier than version 4 is advertised.
*[This](http://www.tenable.com/plugins/index.php?view=single&id=62565) is a complete description from Nessus.* The following configuration indicates that the remote service may be vulnerable to the CRIME attack:
SPDY support earlier than version 4 is advertised.
```
From the report above its important to note that Nessus is only checkng if TLS From the report above it is important to note that Nessus is only checking if
advertises the SPDY protocol earlier than version 4, it does not perform an TLS advertises the SPDY protocol earlier than version 4, it does not perform an
attack nor does it check if compression is enabled. With just this approach it attack nor does it check if compression is enabled. With just this approach, it
cannot tell that SPDY's compression is disabled and not subject to the CRIME cannot tell that SPDY's compression is disabled and not subject to the CRIME
vulnerbility. vulnerability.
### References
* Nginx ["Module ngx_http_spdy_module"][ngx-spdy]
* Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"][nessus]
* Wikipedia contributors, ["CRIME"][wiki-crime] Wikipedia, The Free Encyclopedia
### Reference [source-nginx]: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/support/nginx/gitlab-ssl
* Nginx. "Module ngx_http_spdy_module", Fri. 18 Dec. [omnibus-nginx]: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
* Tenable Network Security, Inc. "Transport Layer Security (TLS) Protocol CRIME Vulnerability", Web. 15 Dec. [ngx-spdy]: http://nginx.org/en/docs/http/ngx_http_spdy_module.html
* Wikipedia contributors. "CRIME." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 25 Nov. 2015. Web. 15 Dec. 2015. [nessus]: https://www.tenable.com/plugins/index.php?view=single&id=62565
\ No newline at end of file [wiki-crime]: https://en.wikipedia.org/wiki/CRIME
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment