Hi, You can find my work-in-progress at https://github.com/django/django/pull/1454. It is nowhere near ready yet -- it is still missing some pieces and has commented-out debug printing, but I'm done for tonight, and I think it is advanced enough that people may want to take a look and comment.
On Saturday 03 August 2013 19:51:30 Michael Mior wrote: > In light of BREACH[1] it might be worth looking into having the option of > adding a one-time pad to the CSRF token as well. Has anyone started > development on any of the suggestions in this thread yet? If not, it's > something I'd be interested in exploring. > > [1] > http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf > I did not include anything related to BREACH -- at first I thought that adding the signature (which is very close to random padding) on both sides of the secret would help, but apparently that is not very valuable; on the contrary, the timestamp gives very predictable context at the end of the secret token. So the solution will probably involve using some sort of XORed (or otherwise added) one-time pad. Thanks to the good work of django.core.signing, which I am trying to build upon, I think this will be easy to add (as a new kind of signer). Your comments are welcome; I hope I'm not completely off-base, Shai. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
