Mitigate the BREACH attack
The BREACH attack (https://breachattack.com/) was published in 2013. The Django project responded soon after (https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/) suggesting users to basically stop using gzip. CSRF masking was implemented in 2016 (#20869).
In April 2022, a paper called "Heal The Breach" was published, suggesting a mitigation that does not depend on masking specific tokens or injecting data into HTML. It is rather a generic and effective mitigation. It suggests adding randomness to the compressed response by injecting random bytes in the gzip filename field of the gzip stream: https://ieeexplore.ieee.org/document/9754554
Telling users to disable gzip is not great for bandwidth consumption. I propose that Django should implement "Heal The Breach" with sensible default.
Change History
(6)
| Has patch: |
set
|
| Patch needs improvement: |
set
|
| Triage Stage: |
Unreviewed → Accepted
|
| Version: |
4.1 → dev
|
| Description: |
modified (diff)
|
| Keywords: |
breach htb gzip added
|
| Owner: |
changed from nobody to Andreas Pelme
|
| Needs documentation: |
unset
|
| Patch needs improvement: |
unset
|
| Triage Stage: |
Accepted → Ready for checkin
|
| Resolution: |
→ fixed
|
| Status: |
assigned → closed
|
PR.