Security advisory: BREACH and Django

At last week's Black Hat conference, researchers announced the BREACH attack, a new attack on web apps that can recover data even when secured with SSL connections. The BREACH paper (PDF) contains full details (and is a good and fairly easy read).

Given what we know so far, we believe that BREACH may be used to compromise Django's CSRF protection. Thus, we're issuing this advisory so that our users can defend themselves.

BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS. Thus, to protect yourself from BREACH, you should disable compression of web responses. Depending on how your application is deployed, this could take a couple forms:

  1. Disabling Django's GZip middleware.
  2. Disabling GZip compression in your web server's config. For example, if you're using Apache you'd want to disable mod_deflate; in nginx you'd disable the gzip module.

Additionally, you should make sure you disable TLS compression by adjusting your server's SSL ciphers.

We plan to take steps to address BREACH in Django itself, but in the meantime we recommend that all users of Django understand this vulnerability and take action if appropriate.

Posted by Jacob Kaplan-Moss on August 6, 2013