HTTPS Bicycle attack reveals password length, allows easier brute-forcing
Dutch security researcher Guido Vranken has come up with a new attack that could allow attackers to discover the length of a user’s password – and therefore make it easier to brute-force it – by analyzing a packet capture of the user’s HTTPS traffic.
“It is usually assumed that HTTP traffic encapsulated in TLS doesn’t reveal the exact sizes of its parts, such as the length of a cookie header, or the payload of a HTTP POST request that may contain variable-length credentials such as passwords,” Vranken noted.
“In this paper I show that the redundancy of the plaintext HTTP headers included in each and every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests (such as authentication to a web application). The redundancy of HTTP in practice allows for an iterative resolution of the length of ‘unknowns’ in a HTTP message until the lengths of all its components are known except for a coveted secret, such as a password, whose length is then implied.”
A few essential conditions have to be met for this so-called HTTPS Bicycle attack to be successful. For one, if the attacker aims to known the length of the user’s password, he or she has to known the user name belonging to that password, as they are often sent together in an authentication process. Also, the attacker must know the length of the rest of the data in the header.
In an attack scenario that targets the HTTPS traffic between a browser and a web server (for example) it’s also helpful for the attacker to know which specific browser was used so that he or she can know how a typical header this browser will send for various types of web resources. That piece of information is not that difficult to find out.
Another prerequisite for a successful attack is that the TLS traffic must use a stream-based cipher, because their output lengths corresponds 1:1 with the (plaintext) input size.
In his paper, Vranken has explained in great detail how the attack would be carried out and how the gathered information is to be analyzed, but Websense researchers have also written up a helpful summary of the chronological steps of the attack.
A very important thing to note about the HTTPS Bicycle attack is that it’s effectively impossible to detect – the attacker does not tamper with the target’s session, he or she only need to record the encrypted data stream. Also, it means that the attack can be executed by analyzing old HTTPS traffic that has been logged somewhere.
“On the surface, and despite the requirements for a successful attack, the HTTPS Bicycle attack is a real and dangerous threat that could potentially result in a new wave of personal and secret information being divulged in the near future. It is yet to be determined how wide scale this issue could be and how feasible the attack is in a real world scenario, but the lack of retrospective mitigation poses a big risk to users,” says Websense researcher Nicholas Griffin.
Vranken says that the range of application for this attack is much wider than simply extracting login credentials.
“It can also be used to extract the length of user names (from pages where all content is static or known except for a string “Welcome back, {username}”), or the user’s account balance on pages in an online banking application, or the number of new messages in an online messaging system,” he notes.
He offered several options for mitigating and/or preventing this type of attack, including hashing or padding the passwords before transmission to disguise their length. Users can also prevent their password from being easily brute-forced (even if an attacker finds out how long it is) by choosing long passwords.