----- Forwarded message from Josh Steiner <josh@vitriolix.com> ----- Date: Tue, 6 Aug 2013 11:06:10 -0700 From: Josh Steiner <josh@vitriolix.com> To: Guardian Dev <guardian-dev@lists.mayfirst.org> Subject: [guardian-dev] BREACH: SSL is pwnd in summary, you need to turn off gzip to mitigate this for now: http://breachattack.com/ https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ At last week's Black Hat conference, researchers announced the BREACH attack<http://breachattack.com/>, a new attack on web apps that can recover data even when secured with SSL connections. The BREACH paper<http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf> (PDF) contains full details (and is a good and fairly easy read). Given what we know so far, we believe that *BREACH may be used to compromise Django's CSRF protection*. Thus, we're issuing this advisory so that our users can defend themselves. BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS. Thus, to protect yourself from BREACH, you should disable compression of web responses. Depending on how your application is deployed, this could take a couple forms: 1. Disabling Django's GZip middleware<https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middleware.gzip> . 2. Disabling GZip compression in your web server's config. For example, if you're using Apache you'd want to disable mod_deflate<http://httpd.apache.org/docs/2.2/mod/mod_deflate.html>; in nginx you'd disable the gzip module<http://wiki.nginx.org/HttpGzipModule> . Additionally, you should make sure you disable TLS compression by adjusting your server's SSL ciphers<http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/> . We plan to take steps to address BREACH in Django itself, but in the meantime we recommend that all users of Django understand this vulnerability and take action if appropriate. Posted by *Jacob Kaplan-Moss* on August 6, 2013 _______________________________________________ Guardian-dev mailing list Post: Guardian-dev@lists.mayfirst.org List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: Guardian-dev-unsubscribe@lists.mayfirst.org Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org You are subscribed as: eugen@leitl.org ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5