Adding how we manage CRIME vulnerability to security docs [ci skip]
This commit is contained in:
Jose Torres
parent
4b4cbf0ce4
commit
a3de46654b
2 changed files with 60 additions and 0 deletions
|
|
@ -6,3 +6,4 @@
|
|||
- [Information exclusivity](information_exclusivity.md)
|
||||
- [Reset your root password](reset_root_password.md)
|
||||
- [User File Uploads](user_file_uploads.md)
|
||||
- [How we manage the CRIME vulnerability](crime_vulnerability.md)
|
||||
|
|
|
|||
59
doc/security/crime_vulnerability.md
Normal file
59
doc/security/crime_vulnerability.md
Normal file
|
|
@ -0,0 +1,59 @@
|
|||
# How we manage the TLS protocol CRIME vulnerability
|
||||
|
||||
> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against
|
||||
secret web cookies over connections using the HTTPS and SPDY protocols that also
|
||||
use data compression.[1][2] When used to recover the content of secret
|
||||
authentication cookies, it allows an attacker to perform session hijacking on an
|
||||
authenticated web session, allowing the launching of further attacks.
|
||||
([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806))
|
||||
|
||||
### Description
|
||||
|
||||
The TLS Protocol CRIME Vulnerability affects compression over HTTPS therefore
|
||||
it warns against using SSL Compression, take gzip for example, or SPDY which
|
||||
optionally uses compression as well.
|
||||
|
||||
GitLab support both gzip and SPDY and manages the CRIME vulnerability by
|
||||
deactivating gzip when https is enabled and not activating the compression
|
||||
feature on SDPY.
|
||||
|
||||
Take a look at our configuration file for NGINX if you'd like to explore how the
|
||||
conditions are setup for gzip deactivation on this link:
|
||||
[GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb).
|
||||
|
||||
For SPDY you can also watch how its implmented on NGINX at [GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb)
|
||||
but take into consideration the NGINX documentation on its default state here:
|
||||
[Module ngx_http_spdy_module](http://nginx.org/en/docs/http/ngx_http_spdy_module.html).
|
||||
|
||||
|
||||
### Nessus
|
||||
|
||||
The Nessus scanner reports a possible CRIME vunerability for GitLab similar to the
|
||||
following format:
|
||||
|
||||
Description
|
||||
|
||||
This remote service has one of two configurations that are known to be required for the CRIME attack:
|
||||
SSL/TLS compression is enabled.
|
||||
TLS advertises the SPDY protocol earlier than version 4.
|
||||
|
||||
...
|
||||
|
||||
Output
|
||||
|
||||
The following configuration indicates that the remote service may be vulnerable to the CRIME attack:
|
||||
SPDY support earlier than version 4 is advertised.
|
||||
|
||||
*[This](http://www.tenable.com/plugins/index.php?view=single&id=62565) is a complete description from Nessus.*
|
||||
|
||||
From the report above its important to note that Nessus is only checkng if TLS
|
||||
advertises the SPDY protocol earlier than version 4, it does not perform an
|
||||
attack nor does it check if compression is enabled. With just this approach it
|
||||
cannot tell that SPDY's compression is disabled and not subject to the CRIME
|
||||
vulnerbility.
|
||||
|
||||
|
||||
### Reference
|
||||
* Nginx. "Module ngx_http_spdy_module", Fri. 18 Dec.
|
||||
* Tenable Network Security, Inc. "Transport Layer Security (TLS) Protocol CRIME Vulnerability", Web. 15 Dec.
|
||||
* Wikipedia contributors. "CRIME." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 25 Nov. 2015. Web. 15 Dec. 2015.
|
||||
Loading…
Reference in a new issue