How do you stop HTTPS-defeating BREACH attacks? Let us count the ways

Last week, when Ars first reported a new hack attack that plucks e-mail addresses and certain types of security credentials out of encrypted pages, we warned the fixes wouldn't be easy. Sure enough, Web app developers responding to the attack known as BREACH have begun proposing mitigations that are awkward, if not down-right unpleasant.

The most unpalatable recommendation came from the official maintainers of Django, a popular Web framework that's perhaps second only to Ruby on Rails. In an advisory published Tuesday, they recommend website operators disable data compression in responses sent to end users. The compression, which is often considered crucial to conserve bandwidth and the time it takes browsers to load Web pages, may be turned off either by disabling Django's GZip middleware or by modifying configuration settings in the underlying Web server application.

"We plan to take steps to address BREACH in Django itself, but in the meantime we recommend that all users of Django understand this vulnerability and take action if appropriate," the advisory states.

Read 2 remaining paragraphs | Comments