diff options
Diffstat (limited to 'doc/security/crime_vulnerability.md')
| -rw-r--r-- | doc/security/crime_vulnerability.md | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/doc/security/crime_vulnerability.md b/doc/security/crime_vulnerability.md index d61a205d954..33878830c7b 100644 --- a/doc/security/crime_vulnerability.md +++ b/doc/security/crime_vulnerability.md @@ -1,3 +1,7 @@ +--- +type: reference +--- + # How we manage the TLS protocol CRIME vulnerability > CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against @@ -7,7 +11,7 @@ authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks. ([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806)) -### Description +## Description The TLS Protocol CRIME Vulnerability affects compression over HTTPS, therefore it warns against using SSL Compression (for example gzip) or SPDY which @@ -24,7 +28,7 @@ Although SPDY is enabled in Omnibus installations, CRIME relies on compression (the 'C') and the default compression level in NGINX's SPDY module is 0 (no compression). -### Nessus +## Nessus The Nessus scanner, [reports a possible CRIME vulnerability][nessus] in GitLab similar to the following format: @@ -50,7 +54,7 @@ attack nor does it check if compression is enabled. With just this approach, it cannot tell that SPDY's compression is disabled and not subject to the CRIME vulnerability. -### References +## References - Nginx ["Module ngx_http_spdy_module"][ngx-spdy] - Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"][nessus] |