diff options
Diffstat (limited to 'doc/security/crime_vulnerability.md')
-rw-r--r-- | doc/security/crime_vulnerability.md | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index 33878830c7b..9665cc0337f 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -13,13 +13,13 @@ authenticated web session, allowing the launching of further attacks. ## Description -The TLS Protocol CRIME Vulnerability affects compression over HTTPS, therefore -it warns against using SSL Compression (for example gzip) or SPDY which -optionally uses compression as well. +The TLS Protocol CRIME Vulnerability affects systems that use data compression +over HTTPS. Your system might be vulnerable to the CRIME vulnerability if you use +SSL Compression (for example, gzip) or SPDY (which optionally uses compression). GitLab supports both gzip and [SPDY][ngx-spdy] and mitigates the CRIME -vulnerability by deactivating gzip when HTTPS is enabled. You can see the -sources of the files in question: +vulnerability by deactivating gzip when HTTPS is enabled. The sources of the +files are here: - [Source installation NGINX file][source-nginx] - [Omnibus installation NGINX file][omnibus-nginx] @@ -49,8 +49,8 @@ SPDY support earlier than version 4 is advertised. ``` From the report above it is important to note that Nessus is only checking if -TLS advertises the SPDY protocol earlier than version 4, it does not perform an -attack nor does it check if compression is enabled. With just this approach, it +TLS advertises the SPDY protocol earlier than version 4. It does not perform an +attack nor does it check if compression is enabled. The Nessus scanner alone cannot tell that SPDY's compression is disabled and not subject to the CRIME vulnerability. @@ -65,3 +65,15 @@ vulnerability. [ngx-spdy]: http://nginx.org/en/docs/http/ngx_http_spdy_module.html [nessus]: https://www.tenable.com/plugins/index.php?view=single&id=62565 [wiki-crime]: https://en.wikipedia.org/wiki/CRIME + +<!-- ## Troubleshooting + +Include any troubleshooting steps that you can foresee. If you know beforehand what issues +one might have when setting this up, or when something is changed, or on upgrading, it's +important to describe those, too. Think of things that may go wrong and include them here. +This is important to minimize requests for support, and to avoid doc comments with +questions that you know someone might ask. + +Each scenario can be a third-level heading, e.g. `### Getting error message X`. +If you have none to add when creating a doc, leave this section in place +but commented out to help encourage others to add to it in the future. --> |