Re: [Django] #20869: Prevent repetitive output to counter BREACH-type attacks

[Django]

#20869: Prevent repetitive output to counter BREACH-type attacks
-------------------------------+----------------------------------------
     Reporter:  patrys         |                    Owner:  adambrenecki
         Type:  Uncategorized  |                   Status:  assigned
    Component:  contrib.csrf   |                  Version:  1.5
     Severity:  Normal         |               Resolution:
     Keywords:                 |             Triage Stage:  Unreviewed
    Has patch:  0              |      Needs documentation:  0
  Needs tests:  0              |  Patch needs improvement:  0
Easy pickings:  0              |                    UI/UX:  0
-------------------------------+----------------------------------------

Comment (by adambrenecki):

 Replying to [comment:17 chris@…]:
 > In django-debreach, the token is AES-encrypted with a random key
 provided alongside it in the response body.

 Does using AES actually add anything over the XOR-with-random-value
 solution used in the Rails patch and mine? It seems like it wouldn't,
 unless I'm misunderstanding something (which is quite possible!).

 Replying to [comment:21 deprince@…]:
 > In all seriousness I think we should both provide a BREACH resistant
 gzip implementation and provide a breach resistant CSRF token generator.
 Some people don't use our gzip, and some people ... don't use our CSRF
 token generator.

 Agreed, especially since `GZipMiddleware` is not in Django's default
 `MIDDLEWARE_CLASSES`, but Nginx defaults to `gzip on;`. Being insecure by
 default and making users a) know about and b) change a whole bunch of
 settings to avoid security holes is something best left to... ''certain
 other'' web platforms ;)

-- 
Ticket URL: <https://code.djangoproject.com/ticket/20869#comment:22>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

-- 
You received this message because you are subscribed to the Google Groups 
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-updates+unsubscr...@googlegroups.com.
To post to this group, send email to django-updates@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-updates/064.4763e65dff589fd540e8f9f493710b11%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.