Opened 2 years ago

Last modified 6 months ago

#1977 new enhancement

Implement TLS 1.3 random record padding to mitigate BREACH

Reported by: Craig Andrews Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.19.x
Keywords: Cc:
uname -a: Linux irrational 5.4.32-gentoo-x86_64 #2 SMP Thu Apr 16 10:45:23 EDT 2020 x86_64 Intel(R) Core(TM) i5-6500 CPU @ 3.20GHz GenuineIntel GNU/Linux
nginx -V: nginx version: nginx/1.17.10

Description (last modified by Craig Andrews)

The TLS specification (RFC 8446) section 5.4 defines optional Record Padding:

As a security improvement, I suggest that nginx implement random record padding.

Random record padding would mitigate the BREACH attack (and other similar) vulnerabilities.

In OpenSSL, this is done using SSL_CTX_set_record_padding_callback:

Change History (3)

comment:1 by Craig Andrews, 2 years ago

Description: modified (diff)

comment:2 by Maxim Dounin, 2 years ago

Priority: majorminor

I believe it was demonstrated more than once that padding cannot prevent the BREACH attack. The random padding at most slows down the attack, while padding to some known block length can be bypassed by adding some extra bytes. Solutions that known to work for sure include compression of valuable data independently from user-controllable fields (for example, this is how CRIME was mitigated in SPDY) and random masking of valuable data.

Further, the pull request to add SSL_CTX_set_record_padding_callback() seems to suggests that the main goal is probably to confuse traffic analysis rather than to fight attacks like BREACH.

As such, I'm highly sceptical about this feature.

comment:3 by Seirdy, 6 months ago

Padding isn't particularly useful for mitigating BREACH, but it is very useful for privacy in that it makes traffic analysis difficult. With encrypted DNS + OCSP Must-Staple + random record padding, the only easily-found information leakage for HTTPS connections will then be the hostname from SNI and dest IP; eavesdroppers will struggle to glean information more granular than that.

Combined with #2275, all an attacker will be left with is dest IP.

Note: See TracTickets for help on using tickets.