在 Django >= 1.10 中使用 GZip 中间件安全吗?
Is it safe to use GZip Middleware in Django >= 1.10?
我希望在 Django 中启用文本压缩。 performance docs 引用 GZip 中间件作为当前文本压缩的解决方案。然而,它带有一个严厉的警告:
GZipMiddleware
Compresses responses for all modern browsers, saving bandwidth and
transfer time. Note that GZipMiddleware is currently considered a
security risk, and is vulnerable to attacks that nullify the
protection provided by TLS/SSL. See the warning in GZipMiddleware for
more information.
几个问题:
- 是否有任何我可以与 Django 一起使用的文本压缩替代方案不会存在安全风险?
- 如果我在使用
POST 时使用 CSRF 令牌并且启用了 CSRF 中间件,我安全吗?
同样,通过the docs:
Changed in Django 1.10: In older versions, Django’s CSRF protection
mechanism was vulnerable to BREACH attacks when compression was used.
This is no longer the case, but you should still take care not to
compromise your own secrets this way.
我绝对建议看一下 BREACH paper,它很短而且很清楚。
如那里所述:
In order for the attack to be successful, several things are required. To be vulnerable to this side-channel, a web app must:
- Be served from a server that uses HTTP-level compression
- Reflect user-input in HTTP response bodies
- Reflect a secret (such as a CSRF token) in HTTP response bodies
因此,如果您没有在响应正文中反映用户信息和机密,您就不会受到攻击。
如果是,那么任何文本压缩方案都不太可能奏效。该攻击利用了文本压缩的基本特性:重复的文本应该占用更少的空间 space。可能存在不易受攻击的压缩方案,但您肯定需要看到一些保证。
因为这种攻击是基于特定的应用程序功能,而不是框架漏洞,所以 Django 无法确保应用程序是 "safe"。 Django can 所做的是保护易受 BREACH 攻击的主要秘密,它提供支持:CSRF 令牌。从 1.10 版开始,Django 使用了论文中建议的缓解措施之一(参见第 3.4 节)到 protect it from this attack:
In order to protect against BREACH attacks, the token is not simply the secret; a random salt is prepended to the secret and used to scramble it.
总而言之:如果您需要保护的唯一秘密是 Django 的 CSRF 令牌,并且您使用的是 Django 1.10 或更高版本,则可以合理地得出结论,您可以使用 gzip 并且仍然可以免受 BREACH 攻击。
我希望在 Django 中启用文本压缩。 performance docs 引用 GZip 中间件作为当前文本压缩的解决方案。然而,它带有一个严厉的警告:
GZipMiddleware
Compresses responses for all modern browsers, saving bandwidth and transfer time. Note that GZipMiddleware is currently considered a security risk, and is vulnerable to attacks that nullify the protection provided by TLS/SSL. See the warning in GZipMiddleware for more information.
几个问题:
- 是否有任何我可以与 Django 一起使用的文本压缩替代方案不会存在安全风险?
- 如果我在使用
POST时使用 CSRF 令牌并且启用了 CSRF 中间件,我安全吗?
同样,通过the docs:
Changed in Django 1.10: In older versions, Django’s CSRF protection mechanism was vulnerable to BREACH attacks when compression was used. This is no longer the case, but you should still take care not to compromise your own secrets this way.
我绝对建议看一下 BREACH paper,它很短而且很清楚。
如那里所述:
In order for the attack to be successful, several things are required. To be vulnerable to this side-channel, a web app must:
- Be served from a server that uses HTTP-level compression
- Reflect user-input in HTTP response bodies
- Reflect a secret (such as a CSRF token) in HTTP response bodies
因此,如果您没有在响应正文中反映用户信息和机密,您就不会受到攻击。
如果是,那么任何文本压缩方案都不太可能奏效。该攻击利用了文本压缩的基本特性:重复的文本应该占用更少的空间 space。可能存在不易受攻击的压缩方案,但您肯定需要看到一些保证。
因为这种攻击是基于特定的应用程序功能,而不是框架漏洞,所以 Django 无法确保应用程序是 "safe"。 Django can 所做的是保护易受 BREACH 攻击的主要秘密,它提供支持:CSRF 令牌。从 1.10 版开始,Django 使用了论文中建议的缓解措施之一(参见第 3.4 节)到 protect it from this attack:
In order to protect against BREACH attacks, the token is not simply the secret; a random salt is prepended to the secret and used to scramble it.
总而言之:如果您需要保护的唯一秘密是 Django 的 CSRF 令牌,并且您使用的是 Django 1.10 或更高版本,则可以合理地得出结论,您可以使用 gzip 并且仍然可以免受 BREACH 攻击。