diff options
| author | Jose Torres <torres@balameb.com> | 2015-12-19 15:16:50 -0600 | 
|---|---|---|
| committer | Jose Torres <torres@balameb.com> | 2015-12-19 15:17:27 -0600 | 
| commit | a3de46654b2fe0f02995913a771e6423bb584d64 (patch) | |
| tree | 420039e565baeea74f5ab13ce7a01ae1d3f9f67d | |
| parent | 4b4cbf0ce4925e22a635e4432e7ac8602199fa5b (diff) | |
| download | gitlab-ce-a3de46654b2fe0f02995913a771e6423bb584d64.tar.gz | |
Adding how we manage CRIME vulnerability to security docs [ci skip]adding_crime_security
| -rw-r--r-- | doc/security/README.md | 1 | ||||
| -rw-r--r-- | doc/security/crime_vulnerability.md | 59 | 
2 files changed, 60 insertions, 0 deletions
| diff --git a/doc/security/README.md b/doc/security/README.md index fba6013d9c1..7df7cef6aa5 100644 --- a/doc/security/README.md +++ b/doc/security/README.md @@ -6,3 +6,4 @@  - [Information exclusivity](information_exclusivity.md)  - [Reset your root password](reset_root_password.md)  - [User File Uploads](user_file_uploads.md) +- [How we manage the CRIME vulnerability](crime_vulnerability.md) diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md new file mode 100644 index 00000000000..d716bff85a5 --- /dev/null +++ b/doc/security/crime_vulnerability.md @@ -0,0 +1,59 @@ +# How we manage the TLS protocol CRIME vulnerability + +> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against  +secret web cookies over connections using the HTTPS and SPDY protocols that also  +use data compression.[1][2] When used to recover the content of secret  +authentication cookies, it allows an attacker to perform session hijacking on an  +authenticated web session, allowing the launching of further attacks. +([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806)) + +### Description + +The TLS Protocol CRIME Vulnerability affects compression over HTTPS therefore  +it warns against using SSL Compression, take gzip for example, or SPDY which  +optionally uses compression as well.  + +GitLab support both gzip and SPDY and manages the CRIME vulnerability by  +deactivating gzip when https is enabled and not activating the compression +feature on SDPY. + +Take a look at our configuration file for NGINX if you'd like to explore how the  +conditions are setup for gzip deactivation on this link:  +[GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb). + +For SPDY you can also watch how its implmented on NGINX at [GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb) +but take into consideration the NGINX documentation on its default state here:  +[Module ngx_http_spdy_module](http://nginx.org/en/docs/http/ngx_http_spdy_module.html). + + +### Nessus + +The Nessus scanner reports a possible CRIME vunerability for GitLab similar to the  +following format: + +	Description + +	This remote service has one of two configurations that are known to be required for the CRIME attack: +	SSL/TLS compression is enabled. +	TLS advertises the SPDY protocol earlier than version 4. + +	... + +	Output + +	The following configuration indicates that the remote service may be vulnerable to the CRIME attack: +	SPDY support earlier than version 4 is advertised. + +*[This](http://www.tenable.com/plugins/index.php?view=single&id=62565) is a complete description from Nessus.* + +From the report above its important to note that Nessus is only checkng if TLS +advertises the SPDY protocol earlier than version 4, it does not perform an  +attack nor does it check if compression is enabled. With just this approach it  +cannot tell that SPDY's compression is disabled and not subject to the CRIME +vulnerbility. + + +### Reference +* Nginx. "Module ngx_http_spdy_module", Fri. 18 Dec. +* Tenable Network Security, Inc. "Transport Layer Security (TLS) Protocol CRIME Vulnerability", Web. 15 Dec. +* Wikipedia contributors. "CRIME." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 25 Nov. 2015. Web. 15 Dec. 2015.
\ No newline at end of file | 
