This is a fascinating attack. I scanned all of the information that I could find and it wasn't clear how this could be used to breach CSRF protection. Is there more detail somewhere on that specific attack vector?
-Rob On Tuesday, August 6, 2013 10:42:01 AM UTC-4, Jacob Kaplan-Moss wrote: > > Hi folks -- > > At last week's Black Hat conference, researchers announced the BREACH > attack (http://breachattack.com/), a new attack on web apps that can > recover data even when secured with SSL connections. Given what we know so > far, we believe that BREACH may be used to compromise Django's CSRF > protection. Thus, we're issuing a security advisory so that our users can > defend themselves. > > You can read more details, including how the steps you can take to prevent > yourself against this attack, on our blog: > > https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ > > We plan to take steps to address BREACH in Django itself, but in the > meantime we recommend that all users of Django understand this > vulnerability and take action if appropriate. > > Jacob > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
