A researcher is warning of a newly discovered attack vector affecting TLS which could lead to hackers uncovering the length of supposedly secret data such as passwords, making them easier to crack.
The HTTPS Bicycle attack is explained by Guido Vranken in a research paper here.
Although it is completely undetectable by the user, the real world impact may be minimal as there are several prerequisite conditions that may be hard to meet.
Specifically, it requires a packet capture of HTTPS traffic from a victim’s browser to a specific site—via Man in the Middle—and that the TLS traffic must use a “stream-oriented cipher”—a particular type of encryption.
What’s more, it can only reveal the length of unknown data if the rest of the data is known.
Websense security researcher, Nicholas Griffin, explains here how an attack targeting a victim's password would work:
“All a user needs to do is have a packet capture of requests to a known site, including an authentication (login) request containing an already known username and an unknown plain-text password. If an attacker can determine the user's browser and how that browser would send requests to the site, they can subtract the length of all the known data the browser would send except for the piece of information they are interested in, which will result in them knowing the length of the unknown data.”
Once the length of a target’s password has been ascertained, in theory it should be easier to crack. If a password is eight characters long and an attacker is able to send 10 log-in requests to the website in question every second, it could be cracked in 5.5 hours, Griffin estimated.
Although the plausibility of carrying out such an attack in the real world has yet to be tested, it should be another reason to ensure any passwords contain numbers and letters and at least eight characters, he added.
Websense principal security analyst, Carl Leonard, added that webmasters must do their bit too—for example by offering two-factor authentication.
“End users must ensure their passwords are sufficiently strong, while website operators and web platform developers must ensure they are fully up to date to guarantee all steps are taken to prevent this attack from occurring in the future," he argued.
HTTPS Bicycle doesn’t just work with password-based attacks, of course; it could theoretically be used to steal GPS co-ordinates or IP addresses.