Comment 2 for bug 1209250

Configure Horizon to mitigate BREACH/CRIME attacks
-----

### Summary ###
In it's default configuration Horizon is vulnerable to BREACH/CRIME style chosen plaintext attacks.

### Affected Services / Software ###
Horizon, Django, Apache, NGinx,

### Discussion ###
The BREACH attack may be used to compromise Django's CSRF protection. OpenStack's Horizon web dashboard is build on the Django framework and consequently affected. There is no Horizon patch but there are protection options.

BREACH takes advantage of vulnerabilities when serving compressed data over SSL/TLS.

### Recommended Actions ###
Disable Django's GZIP Middleware https://docs.djangoproject.com/en/dev/ref/middleware/#module-django.middleware.gzip
Disable GZip compression in your web server's config:

Apache: Disable mod_deflate - http://httpd.apache.org/docs/2.2/mod/mod_deflate.html
Nginx: Disable the gzip module - http://wiki.nginx.org/HttpGzipModule

### Contacts / References ###
This OSSN : https://bugs.launchpad.net/ossn/+bug/1209250
Django advice on BREACH : https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/
More info on BREACH : http://breachattack.com/
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg