#20869: Prevent repetitive output to counter BREACH-type attacks
-------------------------------+----------------------------------------
Reporter: patrys | Owner: adambrenecki
Type: Uncategorized | Status: assigned
Component: contrib.csrf | Version: 1.5
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+----------------------------------------
Comment (by carljm):
Replying to [comment:18 deprince@…]:
> What if instead of modifying the csrf middleware to produce tokens that
are resistant to discovery by Breach, we instead modified the
GzipMiddleware to not compress deterministically?
[[http://github.com/wnyc/breach_buster|breach_buster]] provides an
alternatibve GZipMiddleware implementation. It calls flush a few times
at random points in the beginning of the file. This adds noise to the
size of the output file size, making BREACH impossible to implement.
a) Modifying GZipMiddleware isn't comprehensive mitigation, many people
don't use the middleware and let the front-end server handle compression
instead (it usually performs better).
b) AFAIU adding random noise to the file length does not really protect
against BREACH, it just means the attacker needs to make more requests to
average out the noise and find the still-present signal.
--
Ticket URL: <https://code.djangoproject.com/ticket/20869#comment:19>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/064.392df714cdc55fc0aa8dff26ed2b6990%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
