Opened 2 years ago
Closed 2 years ago
#34170 closed New feature (fixed)
Mitigate the BREACH attack
Description (last modified by ) ¶
The BREACH attack (https://breachattack.com/) was published in 2013. The Django project responded soon after (https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/) suggesting users to basically stop using gzip. CSRF masking was implemented in 2016 (#20869).
In April 2022, a paper called "Heal The Breach" was published, suggesting a mitigation that does not depend on masking specific tokens or injecting data into HTML. It is rather a generic and effective mitigation. It suggests adding randomness to the compressed response by injecting random bytes in the gzip filename field of the gzip stream: https://ieeexplore.ieee.org/document/9754554
Telling users to disable gzip is not great for bandwidth consumption. I propose that Django should implement "Heal The Breach" with sensible default.
Change History (6)
comment:1 by , 2 years ago
| Has patch: | set |
|---|---|
| Patch needs improvement: | set |
| Triage Stage: | Unreviewed → Accepted |
| Version: | 4.1 → dev |
comment:2 by , 2 years ago
| Description: | modified (diff) |
|---|---|
| Keywords: | breach htb gzip added |
| Owner: | changed from to |
comment:3 by , 2 years ago
| Needs documentation: | set |
|---|
comment:4 by , 2 years ago
| Needs documentation: | unset |
|---|
comment:5 by , 2 years ago
| Patch needs improvement: | unset |
|---|---|
| Triage Stage: | Accepted → Ready for checkin |
PR.