diff --git a/doc/security/README.md b/doc/security/README.md index fba6013d9c1..7df7cef6aa5 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -6,3 +6,4 @@ - [Information exclusivity](information_exclusivity.md) - [Reset your root password](reset_root_password.md) - [User File Uploads](user_file_uploads.md) +- [How we manage the CRIME vulnerability](crime_vulnerability.md) diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md new file mode 100644 index 00000000000..d716bff85a5 --- /dev/null +++ b/doc/security/crime_vulnerability.md @@ -0,0 +1,59 @@ +# How we manage the TLS protocol CRIME vulnerability + +> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against +secret web cookies over connections using the HTTPS and SPDY protocols that also +use data compression.[1][2] When used to recover the content of secret +authentication cookies, it allows an attacker to perform session hijacking on an +authenticated web session, allowing the launching of further attacks. +([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806)) + +### Description + +The TLS Protocol CRIME Vulnerability affects compression over HTTPS therefore +it warns against using SSL Compression, take gzip for example, or SPDY which +optionally uses compression as well. + +GitLab support both gzip and SPDY and manages the CRIME vulnerability by +deactivating gzip when https is enabled and not activating the compression +feature on SDPY. + +Take a look at our configuration file for NGINX if you'd like to explore how the +conditions are setup for gzip deactivation on this link: +[GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb). + +For SPDY you can also watch how its implmented on NGINX at [GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb) +but take into consideration the NGINX documentation on its default state here: +[Module ngx_http_spdy_module](http://nginx.org/en/docs/http/ngx_http_spdy_module.html). + + +### Nessus + +The Nessus scanner reports a possible CRIME vunerability for GitLab similar to the +following format: + + Description + + This remote service has one of two configurations that are known to be required for the CRIME attack: + SSL/TLS compression is enabled. + TLS advertises the SPDY protocol earlier than version 4. + + ... + + Output + + The following configuration indicates that the remote service may be vulnerable to the CRIME attack: + SPDY support earlier than version 4 is advertised. + +*[This](http://www.tenable.com/plugins/index.php?view=single&id=62565) is a complete description from Nessus.* + +From the report above its important to note that Nessus is only checkng if TLS +advertises the SPDY protocol earlier than version 4, it does not perform an +attack nor does it check if compression is enabled. With just this approach it +cannot tell that SPDY's compression is disabled and not subject to the CRIME +vulnerbility. + + +### Reference +* Nginx. "Module ngx_http_spdy_module", Fri. 18 Dec. +* Tenable Network Security, Inc. "Transport Layer Security (TLS) Protocol CRIME Vulnerability", Web. 15 Dec. +* Wikipedia contributors. "CRIME." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 25 Nov. 2015. Web. 15 Dec. 2015. \ No newline at end of file