By: Zeljka Zorz Managing Editor Dutch security researcher Guido Vranken has come up with a new attack that could allow attackers to discover the length of a user's password - and therefore make it easier to brute-force it - by analyzing a packet capture of the user's HTTPS traffic. "It is usually assumed that HTTP traffic encapsulated in TLS doesn't reveal the exact sizes of its parts, such as the length of a cookie header, or the payload of a HTTP POST request that may contain variable-length credentials such as passwords," Vranken noted. In this paper I show that the redundancy of the plaintext HTTP headers included in each and every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests (such as authentication to a web application). The redundancy of HTTP in practice allows for an iterative resolution of the length of 'unknowns' in a HTTP message until the lengths of all its components are known except for a coveted secret, such as a password, whose length is then implied." Full Article Here: http://www.net-security.org/secworld.php?id=19295
