Prevent SSL CRIME

The CRIME (Compression Ratio Info-leak Made Easy) attack is a vulnerability in the SSL compression. The attack against secret web cookies sent over compressed HTTPS or SPDY connections, leaves cookie data vulnerable to session hijacking.

Security Assessment

Vulnerability Information

The CRIME (Compression Ratio Info-leak Made Easy) attack is a vulnerability in the SSL compression. The attack against secret web cookies sent over compressed HTTPS or SPDY connections, leaves cookie data vulnerable to session hijacking.

Guides

To prevent the CRIME attack, disable SSL compression.

Apache

Using the standard settings, CRIME is only a problem for Apache version 2.4.3. To disable SSL compression, define the following directive in your SSL settings (usually /etc/apache2/mods-enabled/ssl.confor /etc/letsencrypt/options-ssl-apache.conf when using Let's Encrypt). Also strongly think of upgrading Apache to the latest version.

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/ssl_crime/apache

Nginx

Nginx is vulnerable for CRIME in older versions, which have SSL compression enabled. Please update to a recent version of nginx and OpenSSL. The following versions are known to prevent the vulnerability:

1.0.9 (if OpenSSL 1.0.0+ used)
1.1.6 (if OpenSSL 1.0.0+ used)
1.2.2
1.3.2

https://github.com/crashtest-security/gist/blob/master/ssl_tls_vulnerabilities/ssl_crime/nginx

Prevent SSL CRIME

The CRIME (Compression Ratio Info-leak Made Easy) attack is a vulnerability in the SSL compression. The attack against secret web cookies sent over compressed HTTPS or SPDY connections, leaves cookie data vulnerable to session hijacking.

Security Assessment

Vulnerability Information

Guides

Apache

Nginx

For more information about Crashtest Security visit crashtest-security.com