[openstack-dev] [Horizon][Security] BREACH/CRIME Attack Information

Gabriel Hurley Gabriel.Hurley at nebula.com
Tue Aug 6 22:21:17 UTC 2013

Many of you have probably heard about the "BREACH" attack/security vulnerability in HTTPS traffic that was disclosed recently, and I'd like to take a moment to provide some info about how that affects Horizon. I'm not following the official vulnerability management process because 1. The vulnerability is already disclosed publicly, 2. Workaround information has already been published by Django and many others, and 3. There's no one-off code fix on our end so awareness is the best possible thing.

First off, here's a link to information on the vulnerability: http://breachattack.com/

The short version is that the attack uses carefully constructed "guess-and-check" insertions into compressed HTTPS streams to deduce secret data transmitted across those streams character by character. For Horizon, those secrets would be things like Keystone auth tokens and CSRF tokens.

The simplest "fix" for Django (as detailed in the Django security advisory linked below) is not to use Django's GZip compression middleware and to turn off any body compression you may have enabled in other intermediate webserver or proxy layers. Here's Django's security advisory: https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

This only applies if you're using HTTPS (you *are* using HTTPS, right?) and the GZip middleware or other body compression currently.

The tradeoff for disabling the compression is that outgoing data transfer will generally be 40-60% larger.

In the longer term there are current discussions outside the OpenStack community about ways to further strengthen CSRF protection, SSL encryption, etc. but there's no general-purpose fix here. At the very least, the scope of the vulnerability in Horizon is limited to a certain set of configurations, and attacking a single user + single session at a time. Depending on your deployments constraints it can be mitigated to varying degrees or eliminated entirely at a certain cost.

As the web community continues to address this widespread problem there will likely be further information to disseminate.

Thanks for your attention,

     - Gabriel

More information about the OpenStack-dev mailing list