Commit fc925583 authored by Achilleas Pipinellis's avatar Achilleas Pipinellis

Add type to frontmatter

parent 5e05ec3b
--- ---
comments: false comments: false
type: index
--- ---
# Security # Security
......
---
type: reference
---
# How we manage the TLS protocol CRIME vulnerability # How we manage the TLS protocol CRIME vulnerability
> CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against > CRIME ("Compression Ratio Info-leak Made Easy") is a security exploit against
...@@ -7,7 +11,7 @@ authentication cookies, it allows an attacker to perform session hijacking on an ...@@ -7,7 +11,7 @@ authentication cookies, it allows an attacker to perform session hijacking on an
authenticated web session, allowing the launching of further attacks. authenticated web session, allowing the launching of further attacks.
([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806)) ([CRIME](https://en.wikipedia.org/w/index.php?title=CRIME&oldid=692423806))
### Description ## Description
The TLS Protocol CRIME Vulnerability affects compression over HTTPS, therefore The TLS Protocol CRIME Vulnerability affects compression over HTTPS, therefore
it warns against using SSL Compression (for example gzip) or SPDY which it warns against using SSL Compression (for example gzip) or SPDY which
...@@ -24,7 +28,7 @@ Although SPDY is enabled in Omnibus installations, CRIME relies on compression ...@@ -24,7 +28,7 @@ Although SPDY is enabled in Omnibus installations, CRIME relies on compression
(the 'C') and the default compression level in NGINX's SPDY module is 0 (the 'C') and the default compression level in NGINX's SPDY module is 0
(no compression). (no compression).
### Nessus ## Nessus
The Nessus scanner, [reports a possible CRIME vulnerability][nessus] in GitLab The Nessus scanner, [reports a possible CRIME vulnerability][nessus] in GitLab
similar to the following format: similar to the following format:
...@@ -50,7 +54,7 @@ attack nor does it check if compression is enabled. With just this approach, it ...@@ -50,7 +54,7 @@ attack nor does it check if compression is enabled. With just this approach, it
cannot tell that SPDY's compression is disabled and not subject to the CRIME cannot tell that SPDY's compression is disabled and not subject to the CRIME
vulnerability. vulnerability.
### References ## References
- Nginx ["Module ngx_http_spdy_module"][ngx-spdy] - Nginx ["Module ngx_http_spdy_module"][ngx-spdy]
- Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"][nessus] - Tenable Network Security, Inc. ["Transport Layer Security (TLS) Protocol CRIME Vulnerability"][nessus]
......
---
type: concepts
---
# Information exclusivity # Information exclusivity
Git is a distributed version control system (DVCS). Git is a distributed version control system (DVCS).
......
---
type: reference, howto
---
# Custom password length limits # Custom password length limits
If you want to enforce longer user passwords you can create an extra Devise initializer with the steps below. If you want to enforce longer user passwords you can create an extra Devise initializer with the steps below.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment