Length hiding doesn't work

[tarcieri]

Length hiding cannot be used to mitigate BREACH:

1. Adding a random amount of data will still expose a statistical bias
2. Adding pseudorandom data based on a content hash won't work because the attacker can add random data to the page, at which point we're back to 1
3. Padding to a fixed multiple of the output length won't work because a BREACH attacker can find the "cliff" where the length varies
4. Padding to a random length won't work because the attacker can combine 1 & 3

tl;dr: don't try to hide the length. It won't help defend against more sophisticated forms of the attack

The real mitigations are:

1. Mask the CSRF token
2. Disable compression

[bradleybuda]

I chose the work "mitigate" here because you're right; length hiding does not prevent the attack, but it does slow it. How much it slows the attack is unclear to me - I'd have to work out the statistics of how many more requests an attacker would need to make in order to remove the noise added by the length hiding. I'll see if I can make this more clear in the README.

FWIW, the paper's authors do recommend length hiding to slow attacks, but it's low on the list of recommendations and the paper suggests it's not all that effective. It's hard to know whether it's worth the added complexity and slight performance hit without knowing how much it would slow down an attacker. To totally make up some numbers, if length hiding makes an attack 2x slower, it might not be worth it, but if it makes it 10,000x slower, that could justify it.

[frodsan]

@tarcieri @bradleybuda if gzip is turned off, do I still need these patches? Thanks :-)

[tarcieri]

BREACH only affects responses that are compressed. Disabling compression also mitigates BREACH.