Bicycle attack

A TLS Bicycle Attack refers to a method of discovering password length on encrypted packets transmitted via SSL, or HTTPS. The term was first coined on December 30, 2015, by Guido Vranken, who wrote:[1]

"The name TLS Bicycle Attack was chosen because of the conceptual similarity between how encryption hides content and gift wrapping hides physical objects. My attack relies heavily on the property of stream-based ciphers in TLS that the size of TLS application data payloads is directly known to the attacker and this inadvertently reveals information about the plaintext size; similar to how a draped or gift-wrapped bicycle is still identifiable as a bicycle, because cloaking it like that retains the underlying shape. The reason that I've named this attack at all is only to make referring to it easier for everyone."

The premise of the bicycle attack is that it makes brute-forcing of passwords much easier, because the length of passwords can be known.

Moreover, it refutes the idea that SSL-encrypted HTTP packets obscure the length, because:

"the redundancy of the plaintext HTTP headers included in each and every request can be exploited in order to reveal the length of particular components (such as passwords) of particular requests (such as authentication to a web application)."[1]