W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

HTTP/2 and HTTPS BICYCLE attack

From: Smith, Kevin, (R&D) Vodafone Group <Kevin.Smith@vodafone.com>
Date: Thu, 7 Jan 2016 10:03:31 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <A4BAAB326B17CE40B45830B745F70F10B5762173@VOEXM17W.internal.vodafone.com>
Hi all,

Just seen the 'HTTPS BICYCLE attack' study [1], which claims that 'the redundancy of the plaintext HTTP headers included in each and 
every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests'  

Although I've not seen any further analysis to verify the study, would it be correct to think that HTTP/2's support of sending only header deltas would mitigate such an attack?

Many thanks,
Kevin

[1] https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf
Received on Thursday, 7 January 2016 10:05:01 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:10 UTC