Undetectable HTTPS Bicycle Attack

By   ISBuzz Team
Writer , Information Security Buzz | Jan 06, 2016 09:00 pm PST

Researchers at Raytheon|Websense have offered advice to end users and businesses on the HTPPS Bicycle Attack, which raises questions over the resilience of passwords.

Discovered by Guido Vranken, the HTTPS Bicycle attack can result in the length of personal and secret data, such as passwords and GPS co-ordinates, being exposed from a packet capture of a user’s HTTPS traffic. The attack puts the spotlight on the topics of encryption, authentication, privacy and specifically password security in 2016.

[su_note note_color=”#ffffcc” text_color=”#00000″]Carl Leonard, Principal Security Analyst at Raytheon|Websense :

“The HTTPS Bicycle Attack could potentially result in the divulgence of a new wave of personal and secret information.

“End users may expect their passwords to remain secret when they interact with a website that uses encryption, but HTTPS Bicycle shows this may not be the case. Knowledge is power to an attacker, and even small pieces of information can lead to a later, more refined attack. If they can determine the length of a password this could be vital information for them to pivot off and crack the password faster.

“The undetectable nature of this attack means it’s vital that webmasters consider using strong passwords and two-factor authentication to eliminate the single point of failure. End users must ensure their passwords are sufficiently strong, while website operators and web platform developers must ensure they are fully up to date to guarantee all steps are taken to prevent this attack from occurring in the future.”[/su_note]

[su_box title=”About Raytheon|Websense” style=”noise” box_color=”#336588″]Raytheon|WebsenseRaytheon Company (NYSE: RTN) and Vista Equity Partners completed a joint venture transaction creating a new company that combines Websense, a Vista Equity portfolio company, and Raytheon Cyber Products, a product line of Raytheon’s Intelligence, Information and Services business. The newly-formed commercial cybersecurity company will be known on an interim basis as Raytheon|Websense. The company expects to introduce a new brand identity upon completion of standard organisational integration activity.[/su_box]