Protection against ssl crime attack

Protection against ssl crime attack

You can test your server host name here: https://www.ssllabs.com/ssltest/index.html

I have already manually added fix for beast attack as desribed here http://www.directadmin.com/forum/showthread.php?t=41726

However my servers is vulnerable to the CRIME attack, more info here https://community.qualys.com/blogs/s…against-ssltls

Quote:

The third requirement for wide exploitation is an easy to use exploitation tool. Unlike BEAST, CRIME seems much easier to exploit; we’ve already seen a simple proof of concept, and so it’s likely that we will see a complete tool soon, maybe as a fork of sslstrip.

Further, unlike BEAST, which requires a manual intervention to mitigate, CRIME will be easier to patch. I expect most vendors will simply disable TLS compression.


And more info here: http://isecpartners.com/blog/2012/9/…me-attack.html

Quote:

Server-Side Mitigation

In most cases you can rely on clients having been patched to disable compression. If you want to perform due diligence you can disable SSL Compression server-side also. You can test for SSL Compression using the SSL Labs service (look for “Compression”in the Miscellaneous section) or using iSEC Partners’ ssl scanning tool sslyze v0.5.

Apache 2.4 using mod_ssl

Apache 2.4.3 has support for the SSLCompression flag. This is a very new release of Apache – the feature itself was added in August, 2012. SSLCompression is on by default – to disable it specify “SSLCompression off”. http://httpd.apache.org/docs/2.4/mod…sslcompression


I am running centos 6.3, custombuild 1.2 and apache 2.4.3. I will ask that DirectAdmin add fix for this in custombuild for apache 2.4.x, or maybe also for apache 2.2.x

In the meantime, does anybody know how to correctly disable and set “SSLCompression off” in apache 2.4.x?

I also ask that DirectAdmin try to make a fix for this on port 2222, and do that for both crime attack and beast attack. As said I have already manually fixed beast attack, but only on Apache, however DirectAdmin control panel itself is not running Apache, so I have not been able to fix it for DirectAdmin control panel.

Edit: It is also discussed at webhostingtalk: cPanel Apache 2.2.22 and CRIME SSL attack http://www.webhostingtalk.com/showthread.php?t=1199408

Comments are closed.