[go: up one dir, main page]
|
|
Log in / Subscribe / Register

The HTTPS bicycle attack

The HTTPS bicycle attack

Posted Jan 21, 2016 9:58 UTC (Thu) by mina86 (guest, #68442)
In reply to: The HTTPS bicycle attack by dgm
Parent article: The HTTPS bicycle attack

As the article describes, unknown headers can be ignored by the attacker so that doesn't seem like a valid protection, but a _pad form field filled with letter a such that len(login) + len(password) + len(_pad) is constant might just work.

Then again, the POST data encoding is variable-length so this may still leak presence or absence of some special characters so padding and hex encoding seems like the best option.

to post comments

The HTTPS bicycle attack

Posted Jan 26, 2016 16:06 UTC (Tue) by robbe (guest, #16131) [Link]

> unknown headers can be ignored by the attacker

As I understood it, this only holds true as long as they have constant length. A variable length header, as proposed by dgm, may mitigate the issue somewhat.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds