How we manage the TLS protocol CRIME vulnerability
CRIME is a security exploit against secret web cookies over connections using the HTTPS and SPDY protocols that also use data compression. When used to recover the content of secret authentication cookies, it allows an attacker to perform session hijacking on an authenticated web session, allowing the launching of further attacks.
Description
The TLS Protocol CRIME Vulnerability affects systems that use data compression over HTTPS. Your system might be vulnerable to the CRIME vulnerability if you use SSL Compression (for example, gzip) or SPDY (which optionally uses compression).
GitLab supports both gzip and SPDY and mitigates the CRIME vulnerability by deactivating gzip when HTTPS is enabled. The sources of the files are here:
Although SPDY is enabled in Omnibus installations, CRIME relies on compression (the ‘C’) and the default compression level in NGINX’s SPDY module is 0 (no compression).
Nessus
The Nessus scanner, reports a possible CRIME vulnerability in GitLab similar to the following format:
Description
This remote service has one of two configurations that are known to be required for the CRIME attack:
SSL/TLS compression is enabled.
TLS advertises the SPDY protocol earlier than version 4.
...
Output
The following configuration indicates that the remote service may be vulnerable to the CRIME attack:
SPDY support earlier than version 4 is advertised.
From the report above it is important to note that Nessus is only checking if TLS advertises the SPDY protocol earlier than version 4. It does not perform an attack nor does it check if compression is enabled. The Nessus scanner alone cannot tell that SPDY’s compression is disabled and not subject to the CRIME vulnerability.
References
- NGINX “Module ngx_http_spdy_module”
- Tenable Network Security, Inc. “Transport Layer Security (TLS) Protocol CRIME Vulnerability”
- Wikipedia contributors, “CRIME” Wikipedia, The Free Encyclopedia
Help and feedback
If there's something you don't like about this feature
To propose functionality that GitLab does not yet offer
To further help GitLab in shaping new features
If you didn't find what you were looking for
If you want help with something very specific to your use case, and can use some community support
POST ON GITLAB FORUM
If you have problems setting up or using this feature (depending on your GitLab subscription)
REQUEST SUPPORT
To view all GitLab tiers and features or to upgrade
If you want to try all features available in GitLab.com
If you want to try all features available in GitLab self-managed
If you spot an error or a need for improvement and would like to fix it yourself in a merge request
EDIT THIS PAGE
If you would like to suggest an improvement to this doc