Hi, On Monday, August 4, 2014 3:15:15 AM UTC+2, Adam Brenecki wrote: > > So, a while ago, BREACH happened, and Django's CSRF implementation was > vulnerable, as was Rails'. The paper that discussed it described a > mitigation (and a Rails patch had already been made), so I implemented that > same mitigation in a Django patch. Discussion on the Trac ticket has > stalled, and I've been told this is the place to go. >
Technically the only mitigation is to disable GZip. That said, randomizing the CSRF token provides an extra layer of security, but doesn't necessarily help (eg credit card data could still get leaked, so you'd still have to disable gzip). The patch I've written implements this mitigation, with one difference: > instead of using xor, it uses a Vigenère cipher (as suggested by FunkyBob), > as xor was creating non-printable characters which caused problems. I think > this should be OK as Vigenère is commonly used for one-time pads and does > more or less the same thing to characters that xor does to bits. > What is wrong with xor+base64? Not that Vigenère cipher is complex, but we have a pretty hard stance against implementing "crypto" on our own. Cheers, Florian -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/67393a16-220c-4419-af4d-648f2d42d841%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
