New Attack Sucks Information from HTTPS

By

Bicycle attack technique can determine password length and other clues to simplify a dictionary attack.

Security expert Guido Vranken has published a paper on an attack that can successfully extract meaningful information from a captured TLS traffic session. Although the so-called HTTPS Bicycle attack does not provide direct access to encrypted data, it can determine the length of parts of the data, such as the cookie header or the payload of an HTTP POST request. An attacker can even employ this technique to determine the length of a password used to access an online account. Knowing the length of the password can greatly simplify a dictionary attack.

The attack has no known antidote; however, using a high-quality password and/or some form of two-factor authentication will make it more difficult for the attacker to succeed. See Guido Vranken's blog for a summary of the attack technique, or you can download the whole paper in PDF form.

01/06/2016

Related content

comments powered by Disqus