cPanel & WHM no longer develops EasyApache 3 and only releases security updates for it. We will deprecate EasyApache 3 on December 31, 2018. After that date, we will no longer update EasyApache 3. In cPanel & WHM version 78, we will remove support for EasyApache 3. For more information, read our cPanel Long-Term Support documentation. If you do not upgrade to EasyApache 4, you cannot upgrade to cPanel & WHM version 78. We strongly recommend that you upgrade to EasyApache 4. For more information, read our EasyApache 4 documentation.
How To Prevent CRIME Attacks - EasyApache - cPanel Documentation
Page tree
Skip to end of metadata
Go to start of metadata

Overview

CRIME (Compression Ratio Info-leak Made Easy) is a security exploit that may allow attackers to read encrypted cookies and hijack sessions when SSL compression (TLS compression or SPDY) is in use.

Recent versions of Apache were shipped with SSL compression turned on by default.

Detail

To resolve this issue, cPanel has made the following changes:

  • cPanel patched Apache 2.2.23 to include the SSLCompression directive.
  • cPanel has set the default behavior of SSLCompression to off for both Apache 2.2 and Apache 2.4.

The result is that when Apache is built, SSL Compression is off.

System administrators can still set this directive to on if they choose, but we strongly recommend against this action.

Note:

Apache 2.2.24 already has the SSLCompression directive, so the patch has been simplified to set the default behavior of SSLCompression to off.

Additional Documentation

More information about SSLCompression is available at the Apache website: