The HTTPS bicycle attack

Posted Jan 21, 2016 8:21 UTC (Thu) by dgm (subscriber, #49227)
Parent article: The HTTPS bicycle attack

> The length of the unknown headers can be derived from the other requests since the attacker knows the lengths they recorded from their own session.

This is a flaw in the technique that can be used to easily subvert it. The trick is having the login.php form include random length garbage in the headers. I humbly propose a "X-Bicycle-Box" (or simply "Bicycle-Box") header for that.

The HTTPS bicycle attack

Posted Jan 21, 2016 9:58 UTC (Thu) by mina86 (guest, #68442) [Link] (1 responses)

As the article describes, unknown headers can be ignored by the attacker so that doesn't seem like a valid protection, but a _pad form field filled with letter a such that len(login) + len(password) + len(_pad) is constant might just work.

Then again, the POST data encoding is variable-length so this may still leak presence or absence of some special characters so padding and hex encoding seems like the best option.

The HTTPS bicycle attack

Posted Jan 26, 2016 16:06 UTC (Tue) by robbe (guest, #16131) [Link]

> unknown headers can be ignored by the attacker

As I understood it, this only holds true as long as they have constant length. A variable length header, as proposed by dgm, may mitigate the issue somewhat.

The HTTPS bicycle attack

Posted Jan 31, 2016 2:31 UTC (Sun) by jimparis (guest, #38647) [Link]

> I humbly propose a "X-Bicycle-Box" (or simply "Bicycle-Box") header for that.

Or a perfect opportunity to use "X-Bikeshed".. :)