Adding how we manage CRIME vulnerability to security docs [ci skip]adding_crime_security

2 files changed, 60 insertions, 0 deletions

diff --git a/doc/security/README.md b/doc/security/README.md
index fba6013d9c1..7df7cef6aa5 100644
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -6,3 +6,4 @@
 - [Information exclusivity](information_exclusivity.md)
 - [Reset your root password](reset_root_password.md)
 - [User File Uploads](user_file_uploads.md)
+- [How we manage the CRIME vulnerability](crime_vulnerability.md)
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md
new file mode 100644
index 00000000000..d716bff85a5
--- /dev/null
+++ b/doc/security/crime_vulnerability.md
@@ -0,0 +1,59 @@
+# How we manage the TLS protocol CRIME vulnerability
+
+> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against 
+secret web cookies over connections using the HTTPS and SPDY protocols that also 
+use data compression.[1][2] When used to recover the content of secret 
+authentication cookies, it allows an attacker to perform session hijacking on an 
+authenticated web session, allowing the launching of further attacks.
+([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806))
+
+### Description
+
+The TLS Protocol CRIME Vulnerability affects compression over HTTPS therefore 
+it warns against using SSL Compression, take gzip for example, or SPDY which 
+optionally uses compression as well. 
+
+GitLab support both gzip and SPDY and manages the CRIME vulnerability by 
+deactivating gzip when https is enabled and not activating the compression
+feature on SDPY.
+
+Take a look at our configuration file for NGINX if you'd like to explore how the 
+conditions are setup for gzip deactivation on this link: 
+[GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb).
+
+For SPDY you can also watch how its implmented on NGINX at [GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb)
+but take into consideration the NGINX documentation on its default state here: 
+[Module ngx_http_spdy_module](http://nginx.org/en/docs/http/ngx_http_spdy_module.html).
+
+
+### Nessus
+
+The Nessus scanner reports a possible CRIME vunerability for GitLab similar to the 
+following format:
+
+	Description
+
+	This remote service has one of two configurations that are known to be required for the CRIME attack:
+	SSL/TLS compression is enabled.
+	TLS advertises the SPDY protocol earlier than version 4.
+
+	...
+
+	Output
+
+	The following configuration indicates that the remote service may be vulnerable to the CRIME attack:
+	SPDY support earlier than version 4 is advertised.
+
+*[This](http://www.tenable.com/plugins/index.php?view=single&id=62565) is a complete description from Nessus.*
+
+From the report above its important to note that Nessus is only checkng if TLS
+advertises the SPDY protocol earlier than version 4, it does not perform an 
+attack nor does it check if compression is enabled. With just this approach it 
+cannot tell that SPDY's compression is disabled and not subject to the CRIME
+vulnerbility.
+
+
+### Reference
+* Nginx. "Module ngx_http_spdy_module", Fri. 18 Dec.
+* Tenable Network Security, Inc. "Transport Layer Security (TLS) Protocol CRIME Vulnerability", Web. 15 Dec.
+* Wikipedia contributors. "CRIME." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 25 Nov. 2015. Web. 15 Dec. 2015.
\ No newline at end of file