Disable TLS compression to protect against CRIME-like attacks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Microfiber |
Fix Released
|
Critical
|
Jason Gerard DeRose |
Bug Description
Thanks to prodding from David Jordan, I've looked into the CRIME attack more closely, and as a result figured out how to disable compression via SSLContext.options.
This article is a decent overview of the attack:
http://
Python 3.3 adds the `ssl.OP_
ctx = ssl.SSLContext(
ctx.verify_mode = ssl.CERT_REQUIRED
ctx.options |= ssl.OP_
Although Novacut and Dmedia use client side certs rather than sending a secret session cookie or password with each request, these are use cases Microfiber supports so we should use good, secure defaults. And you never know in what ways this compression attack might be extended.
Related branches
- David Jordan: Approve
-
Diff: 58 lines (+9/-0)2 files modifiedmicrofiber.py (+5/-0)
test_microfiber.py (+4/-0)
description: | updated |
summary: |
- Disabled SSL compression to protect against CRIME like attacks + Disabled TLS compression to protect against CRIME like attacks |
Changed in microfiber: | |
status: | In Progress → Fix Committed |
summary: |
- Disabled TLS compression to protect against CRIME like attacks + Disable TLS compression to protect against CRIME like attacks |
summary: |
- Disable TLS compression to protect against CRIME like attacks + Disable TLS compression to protect against CRIME-like attacks |
Changed in microfiber: | |
status: | Fix Committed → Fix Released |
Thanks, it never hurts to be careful!