[guardian-dev] BREACH: SSL is pwnd
Eugen Leitl
eugen at leitl.org
Tue Aug 6 11:07:47 PDT 2013
----- Forwarded message from Josh Steiner <josh at vitriolix.com> -----
Date: Tue, 6 Aug 2013 11:06:10 -0700
From: Josh Steiner <josh at vitriolix.com>
To: Guardian Dev <guardian-dev at lists.mayfirst.org>
Subject: [guardian-dev] BREACH: SSL is pwnd
in summary, you need to turn off gzip to mitigate this for now:
http://breachattack.com/
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
At last week's Black Hat conference, researchers announced the BREACH
attack<http://breachattack.com/>,
a new attack on web apps that can recover data even when secured with SSL
connections. The BREACH
paper<http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf>
(PDF)
contains full details (and is a good and fairly easy read).
Given what we know so far, we believe that *BREACH may be used to
compromise Django's CSRF protection*. Thus, we're issuing this advisory so
that our users can defend themselves.
BREACH takes advantage of vulnerabilities when serving compressed data over
SSL/TLS. Thus, to protect yourself from BREACH, you should disable
compression of web responses. Depending on how your application is
deployed, this could take a couple forms:
1. Disabling Django's GZip
middleware<https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middleware.gzip>
.
2. Disabling GZip compression in your web server's config. For example,
if you're using Apache you'd want to disable
mod_deflate<http://httpd.apache.org/docs/2.2/mod/mod_deflate.html>;
in nginx you'd disable the gzip module<http://wiki.nginx.org/HttpGzipModule>
.
Additionally, you should make sure you disable TLS compression by adjusting
your server's SSL
ciphers<http://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/>
.
We plan to take steps to address BREACH in Django itself, but in the
meantime we recommend that all users of Django understand this
vulnerability and take action if appropriate.
Posted by *Jacob Kaplan-Moss* on August 6, 2013
_______________________________________________
Guardian-dev mailing list
Post: Guardian-dev at lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev
To Unsubscribe
Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org
Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org
You are subscribed as: eugen at leitl.org
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
More information about the cypherpunks
mailing list