Opened 2 years ago

Last modified 2 years ago

#34170 closed New feature

Mitigate the BREACH attack — at Initial Version

Reported by: Andreas Pelme Owned by: nobody
Component: HTTP handling Version: dev
Severity: Normal Keywords: breach, htb, gzip
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The BREACH attach (https://breachattack.com/) was published in 2013. The Django project responded soon after (https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/) suggesting users to basically stop using gzip. CSRF masking was implemented in 2016 (#20869).

In April 2022, a paper called "Heal The Breach" was published, suggesting a mitigation that does not depend on masking specific tokens or injecting data into HTML. It is rather a generic and effective mitigation. It suggests adding randomness to the compressed response by injecting random bytes in the gzip filename field of the gzip stream: https://ieeexplore.ieee.org/document/9754554

Telling users to disable gzip is not great for bandwidth consumption. I propose that Django should implement "Heal The Breach" with sensible default.

Change History (0)

Note: See TracTickets for help on using tickets.
Back to Top