bicycle attack + openconnect

Nikos Mavrogiannopoulos n.mavrogiannopoulos at
Thu Jan 21 06:03:08 PST 2016

There is an interesting attack published against HTTPS-based protocols
described in [0]. In that paper methods are described to get the
password length and discover an IPv4 address transferred within
HTTPS-encrypted sessions. For that he uses the length of the
transferred packets.

The attack may be applicable in certain scenarios. For openconnect,
(the ocserv and anyconnect client), the password length is hidden
since version 5.99 as we make sure that the length of the packet
transferring the password is a multiple of 64 (see http.c and X-Pad).
Thus it is not vulnerable on this kind of attacks for the password

For discovering the IPv4 range which a VPN client is connected, that
could be possible, but I am not sure whether that warrants further
investigation or fix.


[0]. and

More information about the openconnect-devel mailing list