W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2016

RE: HTTP/2 and HTTPS BICYCLE attack

From: Smith, Kevin, (R&D) Vodafone Group <Kevin.Smith@vodafone.com>
Date: Thu, 7 Jan 2016 11:53:07 +0000
To: Martin Thomson <martin.thomson@gmail.com>
CC: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <A4BAAB326B17CE40B45830B745F70F10B5762345@VOEXM17W.internal.vodafone.com>
> I wouldn't prepare for the apocalypse over this.  

I'll turn the kettle off then :)

> It reveals the length of fields that are unknown in the presence of known or predictable information.  It doesn't actually reveal the bytes, just the length.  Then they are left with the actually hard problem of extracting the actual value of the characters.

Would knowing which passwords are feasible to brute-force due to short length be an advantage to an attacker though...?

Cheers,
Kevin


Received on Thursday, 7 January 2016 12:26:05 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 22 March 2016 12:47:10 UTC