Opened 2 years ago

Closed 2 years ago

#34170 closed New feature (fixed)

Mitigate the BREACH attack

Reported by: Andreas Pelme Owned by: Andreas Pelme
Component: HTTP handling Version: dev
Severity: Normal Keywords: breach, htb, gzip
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Nick Pope)

The BREACH attack (https://breachattack.com/) was published in 2013. The Django project responded soon after (https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/) suggesting users to basically stop using gzip. CSRF masking was implemented in 2016 (#20869).

In April 2022, a paper called "Heal The Breach" was published, suggesting a mitigation that does not depend on masking specific tokens or injecting data into HTML. It is rather a generic and effective mitigation. It suggests adding randomness to the compressed response by injecting random bytes in the gzip filename field of the gzip stream: https://ieeexplore.ieee.org/document/9754554

Telling users to disable gzip is not great for bandwidth consumption. I propose that Django should implement "Heal The Breach" with sensible default.

Change History (6)

comment:1 by Nick Pope, 2 years ago

Has patch: set
Patch needs improvement: set
Triage Stage: UnreviewedAccepted
Version: 4.1dev

PR.

comment:2 by Nick Pope, 2 years ago

Description: modified (diff)
Keywords: breach htb gzip added
Owner: changed from nobody to Andreas Pelme

comment:3 by Mariusz Felisiak, 2 years ago

Needs documentation: set

comment:4 by Andreas Pelme, 2 years ago

Needs documentation: unset

comment:5 by Mariusz Felisiak, 2 years ago

Patch needs improvement: unset
Triage Stage: AcceptedReady for checkin

comment:6 by Mariusz Felisiak <felisiak.mariusz@…>, 2 years ago

Resolution: fixed
Status: assignedclosed

In ab7a85ac:

Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.

Note: See TracTickets for help on using tickets.
Back to Top