A new attack on supposedly secure communication streams raises questions over the resilience of passwords, security researchers warn.

The HTTPS Bicycle attack can result in the length of personal and secret data, such as passwords and GPS co-ordinates, being exposed from a packet capture of a user's HTTPS traffic.

The attack – discovered by security researcher Guido Vranken (and summarised below) – refocuses attention on topics such as encryption, authentication, privacy and most specifically password security.

It is usually assumed that HTTP traffic encapsulated in TLS doesn’t reveal the exact sizes of its parts, such as the length of a cookie header, or the payload of a HTTP POST request that may contain variable-length credentials such as passwords. In this paper I show that the redundancy of the plaintext HTTP headers included in each and every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests (such as authentication to a web application). The redundancy of HTTP in practice allows for an iterative resolution of the length of ‘unknowns’ in a HTTP message until the lengths of all its components are known except for a coveted secret, such as a password, whose length is then implied. The attack furthermore exploits the property of stream-oriented cipher suites such as those based on Galois/Counter Mode that the exact size of the plaintext can be known to a man-in-the-middle.

Carl Leonard, principal security analyst at security tools firm Raytheon|Websense, commented: “End users may expect their passwords to remain secret when they interact with a website that uses encryption, but HTTPS Bicycle shows this may not be the case. Knowledge is power to an attacker, and even small pieces of information can lead to a later, more refined attack.”

Determining even the length of a password can narrow down the range of possibilities and therefore make subsequent brute force assaults more effective, continued Leonard: "The undetectable nature of this attack means it's vital that webmasters consider using strong passwords and two-factor authentication to eliminate the single point of failure. End users must ensure their passwords are sufficiently strong, while website operators and web platform developers must ensure they are fully up to date to guarantee all steps are taken to prevent this attack from occurring in the future.”

More on Websense's take on the security vulnerability can be found in a blog post below. ®