[guardian-dev] BREACH: SSL is pwnd

Eugen Leitl eugen at leitl.org
Tue Aug 6 11:07:47 PDT 2013


----- Forwarded message from Josh Steiner <josh at vitriolix.com> -----

Date: Tue, 6 Aug 2013 11:06:10 -0700
From: Josh Steiner <josh at vitriolix.com>
To: Guardian Dev <guardian-dev at lists.mayfirst.org>
Subject: [guardian-dev] BREACH: SSL is pwnd

in summary, you need to turn off gzip to mitigate this for now:

http://breachattack.com/

https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

At last week's Black Hat conference, researchers announced the BREACH
attack<http://breachattack.com/>,
a new attack on web apps that can recover data even when secured with SSL
connections. The BREACH
paper<http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf>
(PDF)
contains full details (and is a good and fairly easy read).

Given what we know so far, we believe that *BREACH may be used to
compromise Django's CSRF protection*. Thus, we're issuing this advisory so
that our users can defend themselves.

BREACH takes advantage of vulnerabilities when serving compressed data over
SSL/TLS. Thus, to protect yourself from BREACH, you should disable
compression of web responses. Depending on how your application is
deployed, this could take a couple forms:

   1. Disabling Django's GZip
middleware<https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middleware.gzip>
   .
   2. Disabling GZip compression in your web server's config. For example,
   if you're using Apache you'd want to disable
mod_deflate<http://httpd.apache.org/docs/2.2/mod/mod_deflate.html>;
   in nginx you'd disable the gzip module<http://wiki.nginx.org/HttpGzipModule>
   .

Additionally, you should make sure you disable TLS compression by adjusting
your server's SSL
ciphers<http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/>
.

We plan to take steps to address BREACH in Django itself, but in the
meantime we recommend that all users of Django understand this
vulnerability and take action if appropriate.

Posted by *Jacob Kaplan-Moss* on August 6, 2013

_______________________________________________
Guardian-dev mailing list

Post: Guardian-dev at lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev

To Unsubscribe
        Send email to:  Guardian-dev-unsubscribe at lists.mayfirst.org
        Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org

You are subscribed as: eugen at leitl.org


----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the cypherpunks mailing list