Re: Security Advisory: BREACH and Django

Hi Jacob,

Thanks for this!

Idea!

Since many of the mitigations hint at CSRF improvements, consider fixing the issue with CSRF. This should automatically fix issues for both gzip middleware and external projects like mod_deflate etc.

That is, go with mitigation 3.4 and 3.6.

Regards,
Benjamin


On Tuesday, August 6, 2013 4:42:01 PM UTC+2, Jacob Kaplan-Moss wrote:

Hi folks --

At last week's Black Hat conference, researchers announced the BREACH attack (http://breachattack.com/), a new attack on web apps that can recover data even when secured with SSL connections. Given what we know so far, we believe that BREACH may be used to compromise Django's CSRF protection. Thus, we're issuing a security advisory so that our users can defend themselves.

You can read more details, including how the steps you can take to prevent yourself against this attack, on our blog:

    https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

We plan to take steps to address BREACH in Django itself, but in the meantime we recommend that all users of Django understand this vulnerability and take action if appropriate.

Jacob

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users+unsubscribe@googlegroups.com.
To post to this group, send email to django-users@googlegroups.com.
Visit this group at http://groups.google.com/group/django-users.
For more options, visit https://groups.google.com/groups/opt_out.