Menu
I am looking to enable text compression in Django. The performance docs reference GZip Middleware as the current solution for text compression. However, it comes with a stern warning:
GZipMiddleware
Compresses responses for all modern browsers, saving bandwidth and transfer time. Note that GZipMiddleware is currently considered a security risk, and is vulnerable to attacks that nullify the protection provided by TLS/SSL. See the warning in GZipMiddleware for more information.
A couple of questions:
POST and I have CSRF Middleware enabled am I safe?Again, via the docs:
Changed in Django 1.10: In older versions, Django’s CSRF protection mechanism was vulnerable to BREACH attacks when compression was used. This is no longer the case, but you should still take care not to compromise your own secrets this way.
575
gzip. GZipMiddleware compresses content for browsers that understand GZip compression (all modern browsers). This middleware should be placed before any other middleware that need to read or write the response body so that compression happens afterward.
“Common” middlewareForbids access to user agents in the DISALLOWED_USER_AGENTS setting, which should be a list of compiled regular expression objects. Performs URL rewriting based on the APPEND_SLASH and PREPEND_WWW settings.
Overview. Middleware is software that provides common services and capabilities to applications outside of what's offered by the operating system. Data management, application services, messaging, authentication, and API management are all commonly handled by middleware.
I definitely suggest looking at the BREACH paper, which is short and quite clear.
As noted there:
In order for the attack to be successful, several things are required. To be vulnerable to this side-channel, a web app must:
- Be served from a server that uses HTTP-level compression
- Reflect user-input in HTTP response bodies
- Reflect a secret (such as a CSRF token) in HTTP response bodies
So, if you aren't reflecting user information and secrets in the response body, you aren't vulnerable.
If you are, it's unlikely that any text compression scheme will work. The attack takes advantage of the fundamental nature of text compression: that repeated text should take up less space. It's possible that there is a compression scheme that wouldn't be vulnerable, but you would definitely need to see some assurance of that.
Because this attack is based on specific application features, rather than being a framework vulnerability, it's not possible for Django to to ensure that applications are "safe". What Django can do is protect the primary secret that is vulnerable to BREACH that it supplies support for: the CSRF token. Since version 1.10, Django has used one of the mitigations suggested in the paper (see section 3.4) to protect it from this attack:
In order to protect against BREACH attacks, the token is not simply the secret; a random salt is prepended to the secret and used to scramble it.
To summarize: if the only secret you need to protect is Django's CSRF token, and you're using Django 1.10 or greater, it's reasonable to conclude that you can use gzip and still be safe from BREACH.
63
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
