Adding how we manage CRIME vulnerability to security docs [ci skip]
This commit is contained in:
parent
4b4cbf0ce4
commit
a3de46654b
|
@ -6,3 +6,4 @@
|
||||||
- [Information exclusivity](information_exclusivity.md)
|
- [Information exclusivity](information_exclusivity.md)
|
||||||
- [Reset your root password](reset_root_password.md)
|
- [Reset your root password](reset_root_password.md)
|
||||||
- [User File Uploads](user_file_uploads.md)
|
- [User File Uploads](user_file_uploads.md)
|
||||||
|
- [How we manage the CRIME vulnerability](crime_vulnerability.md)
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
# How we manage the TLS protocol CRIME vulnerability
|
||||||
|
|
||||||
|
> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against
|
||||||
|
secret web cookies over connections using the HTTPS and SPDY protocols that also
|
||||||
|
use data compression.[1][2] When used to recover the content of secret
|
||||||
|
authentication cookies, it allows an attacker to perform session hijacking on an
|
||||||
|
authenticated web session, allowing the launching of further attacks.
|
||||||
|
([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806))
|
||||||
|
|
||||||
|
### Description
|
||||||
|
|
||||||
|
The TLS Protocol CRIME Vulnerability affects compression over HTTPS therefore
|
||||||
|
it warns against using SSL Compression, take gzip for example, or SPDY which
|
||||||
|
optionally uses compression as well.
|
||||||
|
|
||||||
|
GitLab support both gzip and SPDY and manages the CRIME vulnerability by
|
||||||
|
deactivating gzip when https is enabled and not activating the compression
|
||||||
|
feature on SDPY.
|
||||||
|
|
||||||
|
Take a look at our configuration file for NGINX if you'd like to explore how the
|
||||||
|
conditions are setup for gzip deactivation on this link:
|
||||||
|
[GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb).
|
||||||
|
|
||||||
|
For SPDY you can also watch how its implmented on NGINX at [GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb)
|
||||||
|
but take into consideration the NGINX documentation on its default state here:
|
||||||
|
[Module ngx_http_spdy_module](http://nginx.org/en/docs/http/ngx_http_spdy_module.html).
|
||||||
|
|
||||||
|
|
||||||
|
### Nessus
|
||||||
|
|
||||||
|
The Nessus scanner reports a possible CRIME vunerability for GitLab similar to the
|
||||||
|
following format:
|
||||||
|
|
||||||
|
Description
|
||||||
|
|
||||||
|
This remote service has one of two configurations that are known to be required for the CRIME attack:
|
||||||
|
SSL/TLS compression is enabled.
|
||||||
|
TLS advertises the SPDY protocol earlier than version 4.
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Output
|
||||||
|
|
||||||
|
The following configuration indicates that the remote service may be vulnerable to the CRIME attack:
|
||||||
|
SPDY support earlier than version 4 is advertised.
|
||||||
|
|
||||||
|
*[This](http://www.tenable.com/plugins/index.php?view=single&id=62565) is a complete description from Nessus.*
|
||||||
|
|
||||||
|
From the report above its important to note that Nessus is only checkng if TLS
|
||||||
|
advertises the SPDY protocol earlier than version 4, it does not perform an
|
||||||
|
attack nor does it check if compression is enabled. With just this approach it
|
||||||
|
cannot tell that SPDY's compression is disabled and not subject to the CRIME
|
||||||
|
vulnerbility.
|
||||||
|
|
||||||
|
|
||||||
|
### Reference
|
||||||
|
* Nginx. "Module ngx_http_spdy_module", Fri. 18 Dec.
|
||||||
|
* Tenable Network Security, Inc. "Transport Layer Security (TLS) Protocol CRIME Vulnerability", Web. 15 Dec.
|
||||||
|
* Wikipedia contributors. "CRIME." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 25 Nov. 2015. Web. 15 Dec. 2015.
|
Loading…
Reference in New Issue