#34170: Mitigate the BREACH attack
-----------------------------------------+--------------------------
Reporter: Andreas Pelme | Owner: nobody
Type: New feature | Status: assigned
Component: HTTP handling | Version: 4.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+--------------------------
The BREACH attach (https://breachattack.com/) was published in 2013. The
Django project responded soon after
(https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/)
suggesting users to basically stop using gzip. CSRF masking was
implemented in 2016 (#20869).
In April 2022, a paper called "Heal The Breach" was published, suggesting
a mitigation that does not depend on masking specific tokens or injecting
data into HTML. It is rather a generic and effective mitigation. It
suggests adding randomness to the compressed response by injecting random
bytes in the gzip filename field of the gzip stream:
https://ieeexplore.ieee.org/document/9754554
Telling users to disable gzip is not great for bandwidth consumption. I
propose that Django should implement "Heal The Breach" with sensible
default.
--
Ticket URL: <https://code.djangoproject.com/ticket/34170>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/0107018496caa6f8-5d14ac32-241c-4c8f-b025-91821843ddce-000000%40eu-central-1.amazonses.com.
