CRIME (Compression Ratio Info-leak Made Easy) is a security exploit that may allow attackers to read encrypted cookies and hijack sessions when SSL compression (TLS compression or SPDY) is in use.
Recent versions of Apache were shipped with SSL compression turned on by default.
To resolve this issue, cPanel has made the following changes:
- cPanel patched Apache 2.2.23 to include the SSLCompression directive.
- cPanel has set the default behavior of SSLCompression to off for both Apache 2.2 and Apache 2.4.
The result is that when Apache is built, SSL Compression is off.
System administrators can still set this directive to on if they choose, but we strongly recommend against this action.
Apache 2.2.24 already has the SSLCompression directive, so the patch has been simplified to set the default behavior of SSLCompression to off.
More information about SSLCompression is available at the Apache website: