Disable SPDY to mitigate against CRIME vulnerability


(Mike Ottum) #1

I would like to disable SPDY on my self-hosted Discourse instance in order to mitigate against the TLS CRIME vulnerability. My understanding based on this post is that SPDY 3.1 is vulnerable to CRIME (at least with header compression enabled).

So, I’d like to know how to disable SPDY and also how to disable SPDY header compression. I’d also be interested if anyone has done an analysis of whether up-to-date Docker install of Discourse is vulnerable to CRIME (since I know it’s a complex topic and I might be misinterpreting things). Thanks!


(Sam Saffron) #2

As far as I can tell this is not a problem, we should actually enable it:

https://github.com/18F/tls-standards/issues/24

I am unsure we need to do anything in our docker template discourse_docker/web.ssl.template.yml at master · discourse/discourse_docker · GitHub

Regardless, feel free to write whatever template you want and include it instead.

cc @igrigorik


(Jeff Atwood) #3

We should enable header compression in the next image @sam along with making 10mb the new server side file size limit in Nginx.


(Sam Saffron) #4

we don’t need to do either in the image, we can simply check it in to the template (and discourse for nginx changes)


(Mike Ottum) #5

Thanks @sam, that helps clear things up for me.


(Jeff Atwood) #6

You made 10mb the new upload limit, but was header compression enabled?


(Jeff Atwood) #7

I think this is all resolved in the base image now, correct @sam?


(Sam Saffron) #8

Yes this should be resolved, closing


(Sam Saffron) #9