On 24/09/11 01:06, Paul McMillan wrote: > CarlJM's django-secure package [4] solves this problem by requiring > the user to specify which header they want, if they need support for > this. > > Luke's concerns about the security of this setting are extremely well > founded. Enabling it when it is not needed is a very serious security > problem, and negates many of the benefits of using SSL. In contrast, > since Django doesn't support this configuration out of the box, we > have users who are losing other benefits that SSL could provide when > Django assumes all requests are insecure. The most striking example of > this is our CSRF protection, where we enforce much more rigorous > requirements on secured connections.
Hmm, I hadn't thought of the security implications of 'is_secure' returning false negatives as well as false positives. We do need it to be reliable in both ways. In the comments on that ticket I had an attack scenario where getting is_secure() == True when it should have been False opened up vulnerabilities, but you have one where the reverse also opens up vulnerabilities, so we definitely need to reconsider this. Further, the one I had thought of applies to code that theoretically exists, or exists outside of Django, but your is code that is definitely within Django, which swings it the other way. It is a tricky problem, because I don't know of any perfect solution. My concern is not only that it is possible to configure incorrectly, it appears to be virtually impossible to configure correctly, as it appears to be very hard to get web servers to filter incoming headers, and so filter a X-Forwarded-Protocol=SSL header that is set by a MITM. My current thinking is that we go with your suggestion, and to cover the problem of a faked HTTPS connection that I was concerned about we just make it clear exactly which way is_secure() is unreliable, and that the main Apache instance must be configured to do the redirection from HTTP to HTTPS if needed. (This is already indicated here: https://docs.djangoproject.com/en/dev/topics/security/#ssl-https but that would need re-working in light of your proposed changes). Luke -- I never hated a man enough to give him his diamonds back. (Zsa Zsa Gabor) Luke Plant || http://lukeplant.me.uk/ -- You received this message because you are subscribed to the Google Groups "Django developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-developers?hl=en.
