543.md 2.9 KB
Newer Older
Lab机器人's avatar
readme  
Lab机器人 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
# How we manage the TLS protocol CRIME vulnerability

> 原文:[https://docs.gitlab.com/ee/security/crime_vulnerability.html](https://docs.gitlab.com/ee/security/crime_vulnerability.html)

*   [Description](#description)
*   [Nessus](#nessus)
*   [References](#references)

# How we manage the TLS protocol CRIME vulnerability[](#how-we-manage-the-tls-protocol-crime-vulnerability "Permalink")

[CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806)是利用 HTTPS 和 SPDY 协议(也使用数据压缩)通过连接对秘密 Web Cookie 进行安全性攻击的方法. 当用于恢复秘密身份验证 Cookie 的内容时,它允许攻击者在经过身份验证的 Web 会话上执行会话劫持,从而允许发起进一步的攻击.

## Description[](#description "Permalink")

TLS 协议 CRIME 漏洞影响使用 HTTPS 进行数据压缩的系统. 如果使用 SSL 压缩(例如 Gzip)或 SPDY(可以选择使用压缩),则系统可能容易受到 CRIME 漏洞的攻击.

GitLab 支持 Gzip 和[SPDY,](http://nginx0org.icopy.site/en/docs/http/ngx_http_spdy_module.html)并通过在启用 HTTPS 时禁用 Gzip 来缓解 CRIME 漏洞. 文件的来源在这里:

*   [Source installation NGINX file](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/support/nginx/gitlab-ssl)
*   [Omnibus installation NGINX file](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/files/gitlab-cookbooks/gitlab/templates/default/nginx-gitlab-http.conf.erb)

尽管在 Omnibus 安装中启用了 SPDY,但 CRIME 依赖于压缩(" C"),NGINX 的 SPDY 模块中的默认压缩级别为 0(无压缩).

## Nessus[](#nessus "Permalink")

Nessus 扫描仪[报告](https://www.tenable.com/plugins/index.php?view=single&id=62565) GitLab 中[可能存在的 CRIME 漏洞](https://www.tenable.com/plugins/index.php?view=single&id=62565) ,类似于以下格式:

```
Description

This remote service has one of two configurations that are known to be required for the CRIME attack:
SSL/TLS compression is enabled.
TLS advertises the SPDY protocol earlier than version 4.

...

Output

The following configuration indicates that the remote service may be vulnerable to the CRIME attack:
SPDY support earlier than version 4 is advertised. 
```

从上面的报告中,需要特别注意的是,Nessus 仅检查 TLS 是否在版本 4 之前发布了 SPDY 协议.它不执行攻击,也不检查是否启用了压缩. 仅 Nessus 扫描程序无法告知 SPDY 的压缩已禁用并且不受 CRIME 漏洞的影响.

## References[](#references "Permalink")

*   NGINX [“Module ngx_http_spdy_module”](http://nginx0org.icopy.site/en/docs/http/ngx_http_spdy_module.html)
*   Tenable Network Security,Inc. ["传输层安全性(TLS)协议 CRIME 漏洞"](https://www.tenable.com/plugins/index.php?view=single&id=62565)
*   Wikipedia 的贡献者, [" CRIME"](https://en.wikipedia.org/wiki/CRIME) Wikipedia,免费的百科全书