New HTTPS Bicycle Attack Reveals Details About Passwords, GPS Coordinates

Dutch security researcher Guido Vranken has published a paper in which he details a new attack method on TLS/SSL-encrypted traffic, one that can potentially allow attackers to extract some information from HTTPS data streams.

Mr. Vranken describes the HTTPS Bicycle Attack as a method through which an attacker can inspect HTTPS traffic and be able to determine the length of some of the data exchanged underneath the TLS protection layer.

This includes details like the length of a cookie header, the length of passwords sent in POST requests, GPS coordinates, IPv4 addresses, or other information contained in TLS-encapsulated HTTP traffic.