Running Rails? Defend yourself against BREACH.


At this week's BlackHat conference, a trio of researchers announced the BREACH attack, a new attack on web apps that can recover secrets even from SSL-secured connections. The paper (PDF) is a relatively quick read and easy to understand if you have some experience with web application development. It's a scary attack, likely to affect the vast majority of web sites, and with no easy fix (short of disabling HTTP compression everywhere).

The researchers have yet to release their proof-of-concept code, but they will soon, and it doesn't seem to be a hard attack to duplicate given what has been published. It's likely that others will release code that targets particular frameworks, such as Rails, Django, or J2EE, and try to recover secrets from those systems. The CSRF token is a prime candidate for these attacks because of its value and its uniform handling across applications.

We released the breach-mitigation-rails gem today to help make Rails apps less susceptible to BREACH (and the related CRIME attack). This is not a silver bullet; it's likely that your app can still be attacked even with this gem installed, and you really should review the paper to understand how this threat works. However, installing the gem will make it harder for an attack to proceed (by making it take longer) and will specifically protect the CSRF token by "masking" it as the paper suggests. It should be compatible with most Rails 3 and 4 applications.

There's more detailed technical information about how the gem works on the Github page, and we look forward to working together with other security-minded Rails developers to improve this mitigation. We'll also look into getting parts of the gem merged into Rails itself as appropriate. Please get in touch if you can help us improve this gem, or if you find a problem with it; we'd love to hear from you.