New Attack Sucks Information from HTTPS
Security expert Guido Vranken has published a paper on an attack that can successfully extract meaningful information from a captured TLS traffic session. Although the so-called HTTPS Bicycle attack does not provide direct access to encrypted data, it can determine the length of parts of the data, such as the cookie header or the payload of an HTTP POST request. An attacker can even employ this technique to determine the length of a password used to access an online account. Knowing the length of the password can greatly simplify a dictionary attack.
The attack has no known antidote; however, using a high-quality password and/or some form of two-factor authentication will make it more difficult for the attacker to succeed. See Guido Vranken's blog for a summary of the attack technique, or you can download the whole paper in PDF form.
Related content
-
News for admins
News for system administrators around the world.
- Devilish DNS Attack Compromises 300,000 SoHo Routers
- No One Is Safe; Citrix Networks Breached
-
Security risks from insufficient logging and monitoring
Although inadequate logging and monitoring cannot generally be exploited for attacks, it nevertheless significantly affects the level of security. -
Distributed denial of service attacks from and against the cloud
In some particularly sophisticated DDoS attacks, the attackers rely on and target the cloud, allowing attackers to work around conventional defense mechanisms. We explain how a DDoS attack in the cloud works, and how you can defend against it.
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.
