#34170: Mitigate the BREACH attack
-------------------------------------+-------------------------------------
Reporter: Andreas Pelme | Owner: Andreas
| Pelme
Type: New feature | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: breach, htb, gzip | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Nick Pope):
* keywords: => breach, htb, gzip
* owner: nobody => Andreas Pelme
Old description:
> The BREACH attach (https://breachattack.com/) was published in 2013. The
> Django project responded soon after
> (https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/)
> suggesting users to basically stop using gzip. CSRF masking was
> implemented in 2016 (#20869).
>
> In April 2022, a paper called "Heal The Breach" was published, suggesting
> a mitigation that does not depend on masking specific tokens or injecting
> data into HTML. It is rather a generic and effective mitigation. It
> suggests adding randomness to the compressed response by injecting random
> bytes in the gzip filename field of the gzip stream:
> https://ieeexplore.ieee.org/document/9754554
>
> Telling users to disable gzip is not great for bandwidth consumption. I
> propose that Django should implement "Heal The Breach" with sensible
> default.
New description:
The BREACH attack (https://breachattack.com/) was published in 2013. The
Django project responded soon after
(https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/)
suggesting users to basically stop using gzip. CSRF masking was
implemented in 2016 (#20869).
In April 2022, a paper called "Heal The Breach" was published, suggesting
a mitigation that does not depend on masking specific tokens or injecting
data into HTML. It is rather a generic and effective mitigation. It
suggests adding randomness to the compressed response by injecting random
bytes in the gzip filename field of the gzip stream:
https://ieeexplore.ieee.org/document/9754554
Telling users to disable gzip is not great for bandwidth consumption. I
propose that Django should implement "Heal The Breach" with sensible
default.
--
--
Ticket URL: <https://code.djangoproject.com/ticket/34170#comment:2>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/01070184973c066a-ce80de05-6aa3-49c9-9914-3f38930ad0b4-000000%40eu-central-1.amazonses.com.
