Security concern: information leakage (even under SSL)

[Jeremy Dunck]

There's a new-ish security paper detailing how information can be
gleaned by observing the sizes of secure responses.

Summary here, which links to the original paper:
http://www.freedom-to-tinker.com/blog/felten/side-channel-leaks-web-applications

One possible mitigation is to add cover traffic in the form of padding
so that the information is obscured.

To that end, I hacked out a middleware. I'd like to get some feedback
(testing, suggestions for improvement, etc) from the list.

http://www.djangosnippets.org/snippets/1970/

Once it isn't broken in obvious ways, maybe we can have a security
expert get further feedback and add to core?

[Michael]

Thanks for this article. It is very interesting. 

One thing I would like to point out this that this is only a problem on SSL connections (as anyone listening to an non encrypted connection can easily throw out the padding). Should this middleware detect if the connection is secure before adding the padding to defer someone from adding 1024 characters to each of their responses for no reason?

It also seems as though the content that is compromised is relatively specific. For example, a standard HTML page with an image or 2 like Django's admin would be more secure than a site which makes considerably more calls to the server. I am no expert, but it appears as though the smaller the request, the less secure it is based on this. Perhaps there is something for the middleware to consider as well.

I am absolutely no expert on this, but security-wise better safe than sorry. We should especially be looking at this as we continue to update the admin with more Ajax and dependancies.

Thanks, Jeremy,

Michael