bicycle attack + openconnect
Nikos Mavrogiannopoulos
n.mavrogiannopoulos at gmail.com
Thu Jan 21 06:03:08 PST 2016
There is an interesting attack published against HTTPS-based protocols
described in [0]. In that paper methods are described to get the
password length and discover an IPv4 address transferred within
HTTPS-encrypted sessions. For that he uses the length of the
transferred packets.
The attack may be applicable in certain scenarios. For openconnect,
(the ocserv and anyconnect client), the password length is hidden
since version 5.99 as we make sure that the length of the packet
transferring the password is a multiple of 64 (see http.c and X-Pad).
Thus it is not vulnerable on this kind of attacks for the password
length.
For discovering the IPv4 range which a VPN client is connected, that
could be possible, but I am not sure whether that warrants further
investigation or fix.
regards,
Nikos
[0]. http://lwn.net/SubscriberLink/672278/522256f5d4de3196/ and
https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf
More information about the openconnect-devel
mailing list