An HTTPS Bicycle Attack refers to a method of discovering password length on packets encrypted with TLS/SSL protocols.[1] In preparation for a bicycle attack, the attacker must load the target page to compute the sizes of headers in the request made by a given web browser to the server. Once the attacker intercepts and browser fingerprints a victim's request, the length of the password can be deduced by subtracting known header lengths from the total length of the request. [2]
The term was first coined on December 30, 2015 by Guido Vranken, who wrote:
"The name TLS Bicycle Attack was chosen because of the conceptual similarity between how encryption hides content and gift wrapping hides physical objects. My attack relies heavily on the property of stream-based ciphers in TLS that the size of TLS application data payloads is directly known to the attacker and this inadvertently reveals information about the plaintext size; similar to how a draped or gift-wrapped bicycle is still identifiable as a bicycle, because cloaking it like that retains the underlying shape. The reason that I've named this attack at all is only to make referring to it easier for everyone."[2] [emphasis added]
The bicycle attack makes brute-forcing of passwords much easier, because only passwords of the known length need to be tested. It demonstrates that TLS-encrypted HTTP traffic does not completely obscure the exact size of its content.
See also
editReferences
edit- ^ Harsha, Benjamin; Morton, Robert; Blocki, Jeremiah; Springer, John; Dark, Melissa (2021-01-01). "Bicycle attacks considered harmful: Quantifying the damage of widespread password length leakage". Computers & Security. 100: 102068. arXiv:2002.01513. doi:10.1016/j.cose.2020.102068. ISSN 0167-4048. S2CID 211032131.
- ^ a b Vranken, Guido (December 30, 2015). "HTTPS Bicycle Attack" (PDF). Retrieved 2021-10-15.