Roundup Tracker - Issues

Message4935

Author rouilj
Recipients ber, eadler, joseph_myers, rouilj, schlatterbeck
Date 2013-10-09.20:31:11
Message-id <1381350672.47.0.795616678964.issue2550690@psf.upfronthosting.co.za>
In-reply-to 
Also note that the CSRF token may need to be a single use token.
So as soon as a post is made with the token, it gets masked/rewritten
and is no longer valid.

This protects again BREACH types of attacks against the token.

http://breachattack.com/

which recommends the following mitigation methods:

    Disabling HTTP compression

    Separating secrets from user input

    Randomizing secrets per request

    Masking secrets (effectively randomizing by XORing with a random
secret per request)

    Protecting vulnerable pages with CSRF

    Length hiding (by adding random number of bytes to the responses)

    Rate-limiting the requests
History
Date User Action Args
2013-10-09 20:31:12rouiljsetmessageid: <1381350672.47.0.795616678964.issue2550690@psf.upfronthosting.co.za>
2013-10-09 20:31:12rouiljsetrecipients: + rouilj, schlatterbeck, ber, joseph_myers, eadler
2013-10-09 20:31:12rouiljlinkissue2550690 messages
2013-10-09 20:31:11rouiljcreate

Supported by The Python Software Foundation,
Powered by Roundup

Last modified: Fri Feb 28 22:02:04 EST 2020