[Django] #34170: Mitigate the BREACH attack

92 views
Skip to first unread message

Django

unread,
Nov 20, 2022, 3:46:18 PM11/20/22
to django-...@googlegroups.com
#34170: Mitigate the BREACH attack
-----------------------------------------+--------------------------
Reporter: Andreas Pelme | Owner: nobody
Type: New feature | Status: assigned
Component: HTTP handling | Version: 4.1
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 0
UI/UX: 0 |
-----------------------------------------+--------------------------
The BREACH attach (https://breachattack.com/) was published in 2013. The
Django project responded soon after
(https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/)
suggesting users to basically stop using gzip. CSRF masking was
implemented in 2016 (#20869).

In April 2022, a paper called "Heal The Breach" was published, suggesting
a mitigation that does not depend on masking specific tokens or injecting
data into HTML. It is rather a generic and effective mitigation. It
suggests adding randomness to the compressed response by injecting random
bytes in the gzip filename field of the gzip stream:
https://ieeexplore.ieee.org/document/9754554

Telling users to disable gzip is not great for bandwidth consumption. I
propose that Django should implement "Heal The Breach" with sensible
default.

--
Ticket URL: <https://code.djangoproject.com/ticket/34170>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.

Django

unread,
Nov 20, 2022, 5:48:31 PM11/20/22
to django-...@googlegroups.com
#34170: Mitigate the BREACH attack
-------------------------------+------------------------------------

Reporter: Andreas Pelme | Owner: nobody
Type: New feature | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1

Easy pickings: 0 | UI/UX: 0
-------------------------------+------------------------------------
Changes (by Nick Pope):

* needs_better_patch: 0 => 1
* has_patch: 0 => 1
* version: 4.1 => dev
* stage: Unreviewed => Accepted


Comment:

[https://github.com/django/django/pull/16311 PR].

--
Ticket URL: <https://code.djangoproject.com/ticket/34170#comment:1>

Django

unread,
Nov 20, 2022, 5:50:07 PM11/20/22
to django-...@googlegroups.com
#34170: Mitigate the BREACH attack
-------------------------------------+-------------------------------------
Reporter: Andreas Pelme | Owner: Andreas
| Pelme

Type: New feature | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: breach, htb, gzip | Triage Stage: Accepted

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Nick Pope):

* keywords: => breach, htb, gzip
* owner: nobody => Andreas Pelme


Old description:

> The BREACH attach (https://breachattack.com/) was published in 2013. The
> Django project responded soon after
> (https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/)
> suggesting users to basically stop using gzip. CSRF masking was
> implemented in 2016 (#20869).
>
> In April 2022, a paper called "Heal The Breach" was published, suggesting
> a mitigation that does not depend on masking specific tokens or injecting
> data into HTML. It is rather a generic and effective mitigation. It
> suggests adding randomness to the compressed response by injecting random
> bytes in the gzip filename field of the gzip stream:
> https://ieeexplore.ieee.org/document/9754554
>
> Telling users to disable gzip is not great for bandwidth consumption. I
> propose that Django should implement "Heal The Breach" with sensible
> default.

New description:

The BREACH attack (https://breachattack.com/) was published in 2013. The


Django project responded soon after
(https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/)
suggesting users to basically stop using gzip. CSRF masking was
implemented in 2016 (#20869).

In April 2022, a paper called "Heal The Breach" was published, suggesting
a mitigation that does not depend on masking specific tokens or injecting
data into HTML. It is rather a generic and effective mitigation. It
suggests adding randomness to the compressed response by injecting random
bytes in the gzip filename field of the gzip stream:
https://ieeexplore.ieee.org/document/9754554

Telling users to disable gzip is not great for bandwidth consumption. I
propose that Django should implement "Heal The Breach" with sensible
default.

--

--
Ticket URL: <https://code.djangoproject.com/ticket/34170#comment:2>

Django

unread,
Nov 20, 2022, 11:24:41 PM11/20/22
to django-...@googlegroups.com
#34170: Mitigate the BREACH attack
-------------------------------------+-------------------------------------
Reporter: Andreas Pelme | Owner: Andreas
| Pelme
Type: New feature | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: breach, htb, gzip | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 1

Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* needs_docs: 0 => 1


--
Ticket URL: <https://code.djangoproject.com/ticket/34170#comment:3>

Django

unread,
Nov 25, 2022, 2:59:30 AM11/25/22
to django-...@googlegroups.com
#34170: Mitigate the BREACH attack
-------------------------------------+-------------------------------------
Reporter: Andreas Pelme | Owner: Andreas
| Pelme
Type: New feature | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: breach, htb, gzip | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0

Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Andreas Pelme):

* needs_docs: 1 => 0


--
Ticket URL: <https://code.djangoproject.com/ticket/34170#comment:4>

Django

unread,
Dec 17, 2022, 2:49:17 AM12/17/22
to django-...@googlegroups.com
#34170: Mitigate the BREACH attack
-------------------------------------+-------------------------------------
Reporter: Andreas Pelme | Owner: Andreas
| Pelme
Type: New feature | Status: assigned
Component: HTTP handling | Version: dev
Severity: Normal | Resolution:
Keywords: breach, htb, gzip | Triage Stage: Ready for
| checkin

Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0

Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak):

* needs_better_patch: 1 => 0
* stage: Accepted => Ready for checkin


--
Ticket URL: <https://code.djangoproject.com/ticket/34170#comment:5>

Django

unread,
Dec 17, 2022, 2:07:44 PM12/17/22
to django-...@googlegroups.com
#34170: Mitigate the BREACH attack
-------------------------------------+-------------------------------------
Reporter: Andreas Pelme | Owner: Andreas
| Pelme
Type: New feature | Status: closed

Component: HTTP handling | Version: dev
Severity: Normal | Resolution: fixed

Keywords: breach, htb, gzip | Triage Stage: Ready for
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Changes (by Mariusz Felisiak <felisiak.mariusz@…>):

* status: assigned => closed
* resolution: => fixed


Comment:

In [changeset:"ab7a85ac297464df82d8363455609979ca3603db" ab7a85ac]:
{{{
#!CommitTicketReference repository=""
revision="ab7a85ac297464df82d8363455609979ca3603db"
Fixed #34170 -- Implemented Heal The Breach (HTB) in GzipMiddleware.
}}}

--
Ticket URL: <https://code.djangoproject.com/ticket/34170#comment:6>

Reply all
Reply to author
Forward
0 new messages