A new attack on HTTPS allows you to receive information about the passwords

A computer security researcher from the Netherlands, Guido Vranken, discovered a new method of attacking TLS / SSL encrypted traffic. In theory, it allows you to retrieve certain information about the data transmitted via the HTTPS protocol. This information can then be used to increase the effectiveness of hacking.

The attack, named by the researcher " HTTPS Bicycle Attack " (bicycle attack), allows you to determine the length of some data transmitted in encrypted form: the length of the cookie header, the length of the passwords transmitted by the POST method, GPS coordinates, IPv4 addresses, etc. At the same time, the traffic remaining in the logs can be analyzed.
')
However, to extract information about the length of the fields, you must know in advance the length of some of the transmitted data. In addition, the attack only works when using a stream cipher .

By subtracting from the length of the authentication header the length of the login, the URL where the client is authorized, and other supporting information, the attacker can get the length of the password, after which the picking attack will be slightly more efficient.

As a recommendation for resource administrators, Vranken recommends disabling streaming encryption, always use the latest version of TLS (for now it is 1.2) and mask the true length of the most sensitive data, complementing them with symbols that will be discarded later.

The theoretical possibility of such an attack is not a reason for panic - for its success requires the fulfillment of many conditions. And, of course, users who use non-standard random and fairly long passwords, and different on different resources, still can feel safe.