Does HTTPS leak password length?



  • On a website with user accounts, all HTTP requests coming from the submission of a login form kind of contain the same info, there are only a few things that are different in the HTTP requests, such as the entered username, the entered password, and a few headers, such as User-Agent. If HTTPS is used to encrypt the request and a hacker would inspect the encrypted request and know the user tries to login as Alice using Firefox, would the hacker be able to figure out the length of the password by looking at the length of the encrypted HTTP request?

    I guess my question is if (or to which extent) HTTPS is leaking the length of the encrypted message.



  • HTTPS leaks password length only roughly based on input. For example, AES CBC operates with with blocks of 128 bits. If total plaintext size is dividable by block size without remainder, then ciphertext size will match plaintext size. If not, then plaintext is padded with bits to make plaintext message dividable by 128 without remainder and only then plaintext is encrypted. In other words, ciphertext size is calculated (for AES CBC) as:

    cipherTextLength = (plainTextLength / 16 + 1) * 16
    

    having ciphertext size and exact source message where only password is variable and unknown, then you can guess password length with 16 byte precision.

    Updated based on comments: unlike block cipher, stream ciphers (like AES GCM) perform bit-by-bit encryption and total ciphertext length will equal plaintext length in bits, i.e.

    cipherTextLength = plainTextLength
    

    however, it doesn't mean that block cipher is better than stream. In fact, AES GCM is slightly better than CBC in security and much better in performance, because it can parallelized. But that is a very different question.

    p.s. thanks to nobody for corrections.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2