summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/security/README.md1
-rw-r--r--doc/security/crime_vulnerability.md59
2 files changed, 60 insertions, 0 deletions
diff --git a/doc/security/README.md b/doc/security/README.md
index fba6013d9c1..7df7cef6aa5 100644
--- a/doc/security/README.md
+++ b/doc/security/README.md
@@ -6,3 +6,4 @@
- [Information exclusivity](information_exclusivity.md)
- [Reset your root password](reset_root_password.md)
- [User File Uploads](user_file_uploads.md)
+- [How we manage the CRIME vulnerability](crime_vulnerability.md)
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md
new file mode 100644
index 00000000000..d716bff85a5
--- /dev/null
+++ b/doc/security/crime_vulnerability.md
@@ -0,0 +1,59 @@
+# How we manage the TLS protocol CRIME vulnerability
+
+> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against
+secret web cookies over connections using the HTTPS and SPDY protocols that also
+use data compression.[1][2] When used to recover the content of secret
+authentication cookies, it allows an attacker to perform session hijacking on an
+authenticated web session, allowing the launching of further attacks.
+([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806))
+
+### Description
+
+The TLS Protocol CRIME Vulnerability affects compression over HTTPS therefore
+it warns against using SSL Compression, take gzip for example, or SPDY which
+optionally uses compression as well.
+
+GitLab support both gzip and SPDY and manages the CRIME vulnerability by
+deactivating gzip when https is enabled and not activating the compression
+feature on SDPY.
+
+Take a look at our configuration file for NGINX if you'd like to explore how the
+conditions are setup for gzip deactivation on this link:
+[GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb).
+
+For SPDY you can also watch how its implmented on NGINX at [GitLab NGINX File](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb)
+but take into consideration the NGINX documentation on its default state here:
+[Module ngx_http_spdy_module](http://nginx.org/en/docs/http/ngx_http_spdy_module.html).
+
+
+### Nessus
+
+The Nessus scanner reports a possible CRIME vunerability for GitLab similar to the
+following format:
+
+ Description
+
+ This remote service has one of two configurations that are known to be required for the CRIME attack:
+ SSL/TLS compression is enabled.
+ TLS advertises the SPDY protocol earlier than version 4.
+
+ ...
+
+ Output
+
+ The following configuration indicates that the remote service may be vulnerable to the CRIME attack:
+ SPDY support earlier than version 4 is advertised.
+
+*[This](http://www.tenable.com/plugins/index.php?view=single&id=62565) is a complete description from Nessus.*
+
+From the report above its important to note that Nessus is only checkng if TLS
+advertises the SPDY protocol earlier than version 4, it does not perform an
+attack nor does it check if compression is enabled. With just this approach it
+cannot tell that SPDY's compression is disabled and not subject to the CRIME
+vulnerbility.
+
+
+### Reference
+* Nginx. "Module ngx_http_spdy_module", Fri. 18 Dec.
+* Tenable Network Security, Inc. "Transport Layer Security (TLS) Protocol CRIME Vulnerability", Web. 15 Dec.
+* Wikipedia contributors. "CRIME." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 25 Nov. 2015. Web. 15 Dec. 2015. \ No newline at end of file