Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
How long is your password? HTTPS Bicycle attack reveals that and more
A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn.
The HTTPS Bicycle attack can result in the length of personal and secret data, such as passwords and GPS co-ordinates, being exposed from a packet capture of a user's HTTPS traffic.
The attack – discovered by security researcher Guido Vranken (and summarised below) – refocuses attention on topics such as encryption, authentication, privacy and most specifically password security.
It is usually assumed that HTTP traffic encapsulated in TLS doesn’t reveal the exact sizes of its parts, such as the length of a cookie header, or the payload of a HTTP POST request that may contain variable-length credentials such as passwords. In this paper I show that the redundancy of the plaintext HTTP headers included in each and every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests (such as authentication to a web application).
The redundancy of HTTP in practice allows for an iterative resolution of the length of ‘unknowns’ in a HTTP message until the lengths of all its components are known except for a coveted secret, such as a password, whose length is then implied. The attack furthermore exploits the property of stream-oriented cipher suites such as those based on Galois/Counter Mode that the exact size of the plaintext can be known to a man-in-the-middle.
Carl Leonard, principal security analyst at security tools firm Raytheon|Websense, commented: “End users may expect their passwords to remain secret when they interact with a website that uses encryption, but HTTPS Bicycle shows this may not be the case. Knowledge is power to an attacker, and even small pieces of information can lead to a later, more refined attack.”
Determining even the length of a password can narrow down the range of possibilities and therefore make subsequent brute force assaults more effective, continued Leonard: "The undetectable nature of this attack means it's vital that webmasters consider using strong passwords and two-factor authentication to eliminate the single point of failure. End users must ensure their passwords are sufficiently strong, while website operators and web platform developers must ensure they are fully up to date to guarantee all steps are taken to prevent this attack from occurring in the future


Possibly Related Threads…
Thread Author Replies Views Last Post
  Firefox turns on DNS over HTTPS by default for US users sidemoon 0 1,054 02-28-2020 , 10:18 PM
Last Post: sidemoon
  At long last, WireGuard VPN is on its way into Linux Herran 0 1,187 12-10-2019 , 05:06 PM
Last Post: Herran
  Windows will improve user privacy with DNS over HTTPS sidemoon 0 1,086 11-19-2019 , 11:32 PM
Last Post: sidemoon
  How to check if your Google acc. was HACKED in Gooligan attack, change your password Otaku Lee 0 2,588 12-04-2016 , 11:06 AM
Last Post: Otaku Lee
  attack Brian Krebs' Blog Hit by 665 Gbps DDoS Attack mrtrout 1 2,385 09-23-2016 , 01:09 AM
Last Post: Kershwow

Forum Jump:

Users browsing this thread: 1 Guest(s)