well, from what I read it seems that they somehow manage to inspect the content-length of the compressed output given that: - somehow are able to inject a simil-token - the compression algo is know in advance hence the estimation of the content-length would give them the right token, because if the same token is injected they know how many bytes less to expect from the compression algo. Seems to me that it's a kind of a bruteforce, 'cause they don't know in advance what token to use but they can only estimate the correctness basing on the content-length.
I know that there are security experts/security "fans" watching over web2py's code, so I'll leave this topic to them for further analysis, but as Anthony suggested it seems that web2py is fine. Django and Rails use a somewhat "static" token, while web2py generates a new one for every form. This cripples a little bit the javascript interaction, but seems to give web2py's a nicer security model until BREACH gets somehow fixed at higher levels. On Tuesday, August 6, 2013 8:29:29 PM UTC+2, Anthony wrote: > > One recommendation is to randomize the "secret" per request (the attack > works by guessing the secret one character at a time). web2py already > randomizes its CSRF tokens on every request (which I take it Django does > not do), so not sure web2py has the same vulnerability with regard to the > CSRF token (there may be vulnerabilities with other kinds of secret data, > though). > > Anthony > > On Tuesday, August 6, 2013 1:55:29 PM UTC-4, Massimo Di Pierro wrote: >> >> As I understand this has nothing to do with Django. They discovered a ssh >> vulnerability that can used to decrypt part of traffic. It will affect all >> of us if un patched. >> >> On Tuesday, 6 August 2013 10:55:06 UTC-5, Chun-Hung Chen wrote: >>> >>> Hi, >>> >>> FYI >>> https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/ >> >> -- --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
