Login

Security: Sideband information cover traffic middleware

Author:
jdunck
Posted:
March 25, 2010
Language:
Python
Version:
1.1
Score:
1 (after 1 ratings)

This is a quick hack to address the SSL info leakage covered here: http://www.freedom-to-tinker.com/blog/felten/side-channel-leaks-web-applications

Don't use this in prod without testing. :-)

I'll get some feedback from django-dev and update here.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import random
from django.http import HttpResponse

class SidebandCoverTrafficMiddleware(object):
    """
    HTTP traffic (even under SSL) can be observed for information leakage based on 
    response lengths; this is more important with AJAX providing many small requests.
    
    See http://www.freedom-to-tinker.com/blog/felten/side-channel-leaks-web-applications
    
    A mitigation is to add some padding to responses to obscure the original lengths.
    """
    SUPPORTED_MIMETYPES = (
        'text/*',
    )
    SUPPORTED_STATUSES = (
        200,
    )
    EXTRA_PADDING_MAX = 1024

    def should_process(self, response):
        if not response.status_code in self.SUPPORTED_STATUSES:
            return False
        ct = response['content-type']
        ct_prefix = ct.split('/')[0] + '/*'
        if not (ct_prefix in self.SUPPORTED_MIMETYPES or 
                ct in self.SUPPORTED_MIMETYPES):
            return False
        return True

    def process_response(self, request, response):
        if self.should_process(response):
            return HttpResponse(response.content + ' ' * random.randint(0, self.EXTRA_PADDING_MAX), 
                    content_type=ct,
                    status=response.status_code
                    )

More like this

  1. Template tag - list punctuation for a list of items by shapiromatron 10 months, 2 weeks ago
  2. JSONRequestMiddleware adds a .json() method to your HttpRequests by cdcarter 10 months, 3 weeks ago
  3. Serializer factory with Django Rest Framework by julio 1 year, 5 months ago
  4. Image compression before saving the new model / work with JPG, PNG by Schleidens 1 year, 6 months ago
  5. Help text hyperlinks by sa2812 1 year, 6 months ago

Comments

bandris (on March 25, 2010):

Why not end should_process simply by:

return ct_prefix in self.SUPPORTED_MIMETYPES or ct in self.SUPPORTED_MIMETYPES

#

Please login first before commenting.