[guardian-dev] BREACH: SSL is pwnd

Eugen Leitl eugen@leitl.org
Tue Aug 6 11:07:47 PDT 2013 

----- Forwarded message from Josh Steiner <josh@vitriolix.com> -----

Date: Tue, 6 Aug 2013 11:06:10 -0700
From: Josh Steiner <josh@vitriolix.com>
To: Guardian Dev <guardian-dev@lists.mayfirst.org>
Subject: [guardian-dev] BREACH: SSL is pwnd

in summary, you need to turn off gzip to mitigate this for now:

http://breachattack.com/

https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

At last week's Black Hat conference, researchers announced the BREACH
attack<http://breachattack.com/>,
a new attack on web apps that can recover data even when secured with SSL
connections. The BREACH
paper<http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf>
(PDF)
contains full details (and is a good and fairly easy read).

Given what we know so far, we believe that *BREACH may be used to
compromise Django's CSRF protection*. Thus, we're issuing this advisory so
that our users can defend themselves.

BREACH takes advantage of vulnerabilities when serving compressed data over
SSL/TLS. Thus, to protect yourself from BREACH, you should disable
compression of web responses. Depending on how your application is
deployed, this could take a couple forms:

   1. Disabling Django's GZip
middleware<https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middleware.gzip>
   .
   2. Disabling GZip compression in your web server's config. For example,
   if you're using Apache you'd want to disable
mod_deflate<http://httpd.apache.org/docs/2.2/mod/mod_deflate.html>;
   in nginx you'd disable the gzip module<http://wiki.nginx.org/HttpGzipModule>
   .

Additionally, you should make sure you disable TLS compression by adjusting
your server's SSL
ciphers<http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/>
.

We plan to take steps to address BREACH in Django itself, but in the
meantime we recommend that all users of Django understand this
vulnerability and take action if appropriate.

Posted by *Jacob Kaplan-Moss* on August 6, 2013

_______________________________________________
Guardian-dev mailing list

Post: Guardian-dev@lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev

To Unsubscribe
        Send email to:  Guardian-dev-unsubscribe@lists.mayfirst.org
        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org

You are subscribed as: eugen@leitl.org


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5

More information about the cypherpunks mailing list