Hi, You can find my work-in-progress at https://github.com/django/django/pull/1454. It is nowhere near ready yet -- it is still missing some pieces and has commented-out debug printing, but I'm done for tonight, and I think it is advanced enough that people may want to take a look and comment.
On Saturday 03 August 2013 19:51:30 Michael Mior wrote: > In light of BREACH[1] it might be worth looking into having the option of > adding a one-time pad to the CSRF token as well. Has anyone started > development on any of the suggestions in this thread yet? If not, it's > something I'd be interested in exploring. > > [1] > http://breachattack.com/resources/BREACH%20-%20SSL,%20gone%20in%2030%20seconds.pdf > I did not include anything related to BREACH -- at first I thought that adding the signature (which is very close to random padding) on both sides of the secret would help, but apparently that is not very valuable; on the contrary, the timestamp gives very predictable context at the end of the secret token. So the solution will probably involve using some sort of XORed (or otherwise added) one-time pad. Thanks to the good work of django.core.signing, which I am trying to build upon, I think this will be easy to add (as a new kind of signer). Your comments are welcome; I hope I'm not completely off-base, Shai. -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. For more options, visit https://groups.google.com/groups/opt_out.
