2019-09-04 21:01:54 +05:30
|
|
|
---
|
|
|
|
type: reference
|
|
|
|
---
|
|
|
|
|
2016-01-14 18:37:52 +05:30
|
|
|
# How we manage the TLS protocol CRIME vulnerability
|
|
|
|
|
|
|
|
> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against
|
|
|
|
secret web cookies over connections using the HTTPS and SPDY protocols that also
|
|
|
|
use data compression. When used to recover the content of secret
|
|
|
|
authentication cookies, it allows an attacker to perform session hijacking on an
|
|
|
|
authenticated web session, allowing the launching of further attacks.
|
|
|
|
([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806))
|
|
|
|
|
2019-09-04 21:01:54 +05:30
|
|
|
## Description
|
2016-01-14 18:37:52 +05:30
|
|
|
|
2019-09-04 21:01:54 +05:30
|
|
|
The TLS Protocol CRIME Vulnerability affects systems that use data compression
|
|
|
|
over HTTPS. Your system might be vulnerable to the CRIME vulnerability if you use
|
|
|
|
SSL Compression (for example, gzip) or SPDY (which optionally uses compression).
|
2016-01-14 18:37:52 +05:30
|
|
|
|
|
|
|
GitLab supports both gzip and [SPDY][ngx-spdy] and mitigates the CRIME
|
2019-09-04 21:01:54 +05:30
|
|
|
vulnerability by deactivating gzip when HTTPS is enabled. The sources of the
|
|
|
|
files are here:
|
2016-01-14 18:37:52 +05:30
|
|
|
|
2019-03-02 22:35:43 +05:30
|
|
|
- [Source installation NGINX file][source-nginx]
|
|
|
|
- [Omnibus installation NGINX file][omnibus-nginx]
|
2016-01-14 18:37:52 +05:30
|
|
|
|
|
|
|
Although SPDY is enabled in Omnibus installations, CRIME relies on compression
|
|
|
|
(the 'C') and the default compression level in NGINX's SPDY module is 0
|
|
|
|
(no compression).
|
|
|
|
|
2019-09-04 21:01:54 +05:30
|
|
|
## Nessus
|
2016-01-14 18:37:52 +05:30
|
|
|
|
|
|
|
The Nessus scanner, [reports a possible CRIME vulnerability][nessus] in GitLab
|
|
|
|
similar to the following format:
|
|
|
|
|
|
|
|
```
|
|
|
|
Description
|
|
|
|
|
|
|
|
This remote service has one of two configurations that are known to be required for the CRIME attack:
|
|
|
|
SSL/TLS compression is enabled.
|
|
|
|
TLS advertises the SPDY protocol earlier than version 4.
|
|
|
|
|
|
|
|
...
|
|
|
|
|
|
|
|
Output
|
|
|
|
|
|
|
|
The following configuration indicates that the remote service may be vulnerable to the CRIME attack:
|
|
|
|
SPDY support earlier than version 4 is advertised.
|
|
|
|
```
|
|
|
|
|
|
|
|
From the report above it is important to note that Nessus is only checking if
|
2019-09-04 21:01:54 +05:30
|
|
|
TLS advertises the SPDY protocol earlier than version 4. It does not perform an
|
|
|
|
attack nor does it check if compression is enabled. The Nessus scanner alone
|
2016-01-14 18:37:52 +05:30
|
|
|
cannot tell that SPDY's compression is disabled and not subject to the CRIME
|
|
|
|
vulnerability.
|
|
|
|
|
2019-09-04 21:01:54 +05:30
|
|
|
## References
|
2016-01-14 18:37:52 +05:30
|
|
|
|
2019-03-02 22:35:43 +05:30
|
|
|
- Nginx ["Module ngx_http_spdy_module"][ngx-spdy]
|
|
|
|
- Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"][nessus]
|
|
|
|
- Wikipedia contributors, ["CRIME"][wiki-crime] Wikipedia, The Free Encyclopedia
|
2016-01-14 18:37:52 +05:30
|
|
|
|
2019-12-04 20:38:33 +05:30
|
|
|
[source-nginx]: https://gitlab.com/gitlab-org/gitlab-foss/blob/master/lib/support/nginx/gitlab-ssl
|
2016-01-14 18:37:52 +05:30
|
|
|
[omnibus-nginx]: https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb
|
|
|
|
[ngx-spdy]: http://nginx.org/en/docs/http/ngx_http_spdy_module.html
|
|
|
|
[nessus]: https://www.tenable.com/plugins/index.php?view=single&id=62565
|
|
|
|
[wiki-crime]: https://en.wikipedia.org/wiki/CRIME
|
2019-09-04 21:01:54 +05:30
|
|
|
|
|
|
|
<!-- ## Troubleshooting
|
|
|
|
|
|
|
|
Include any troubleshooting steps that you can foresee. If you know beforehand what issues
|
|
|
|
one might have when setting this up, or when something is changed, or on upgrading, it's
|
|
|
|
important to describe those, too. Think of things that may go wrong and include them here.
|
|
|
|
This is important to minimize requests for support, and to avoid doc comments with
|
|
|
|
questions that you know someone might ask.
|
|
|
|
|
|
|
|
Each scenario can be a third-level heading, e.g. `### Getting error message X`.
|
|
|
|
If you have none to add when creating a doc, leave this section in place
|
|
|
|
but commented out to help encourage others to add to it in the future. -->
|