So the point here is that they say QUIC doesn't do length hiding. Okay. This is not a secret, but okay, you can point that out.
However then they go on that they don't know (because they haven't checked) whether the same is true for TLS. It is. It's been published as the HTTPS Bicycle attack. Writing "we strongly encourage other researchers to study TLS version 1.2 to see if Ring-Road exists" is comical under this circumstances.
The university's press release tries to spin this as a google bug:
https://www.cerias.purdue.edu/site/blog/post/purdue_cerias_r...
Which is... quite a stretch, given that QUIC just has the very same behavior as TLS. It almost makes you think they haven't checked TLS to be able to spin this as a "google vuln" story.
Then they recommend to disable QUIC. Which will do... nothing to mitigate this vuln, because of course the browser will just fall back to normal HTTPS with TLS - which has the same vuln, but hey, they haven't checked.
In either case, TLS does this too [1], so the mitigations they recommend will have no effect. Worth reading cryptographer Thomas Pornin's opinion of the matter [2] in response to that thread.
[1] https://security.stackexchange.com/questions/109973/
[2] https://security.stackexchange.com/a/109976
A realistic answer would be to point out that if leaking the password length allows breaking it, then this is a poor password to begin with, and you should probably fix that.
(Aside: I wonder how many systems have censored Pornin's last name.)
The only (but still important) lesson here is to pad critical form data as a site owner (assuming randomness doesn't buy you much) or have a good user password such that knowing the length doesn't make brute achievable. Even do a pre-hashing step on the client if you can guarantee it will happen and care to do so. I'm sure smarter people than me have given good advice about this somewhere.
The most frustrating thing about this is the presumption to name something like this. Bug names have always bugged me (hah) but this is a bit absurd. It doesn't even seem that clever :/
"Apple has decided to use alternatives such as Advanced Encryption Standard, Cipher Block Chaining (AES-CBC) + Keyed Hash Authentication (HMAC) to achieve both confidentiality and integrity for sensitive data transmitted over the Internet."
They're talking about a vulnerability in QUIC, a protocol Apple doesn't support, to my knowledge. To the extent that eyebrows are waggled in the direction of AES-GCM in TLS, Apple supports that as well.
"AES-GCM is also used by TLS version 1.2. We have been unable to verify the Ring-Road vulnerability in TLS due to time constraints, but we strongly encourage other researchers to study TLS version 1.2 to see if Ring-Road exists."
Is this the same thing as what somebody previously called the "bicycle attack"? [1] (it went over like a lead balloon so you're forgiven for not having noticed)
[1] https://guidovranken.wordpress.com/2015/12/30/https-bicycle-...
Given the nature of a length disclosure vulnerability, it should be trivial to mitigate client side, which means that any particular site can be patched instantly, if the vulnerability actually exists. If this was actually serious, and was disclosed responsibly, then large sites would already be fixed. Without relevant details this site reads more like an ad for this "Spotlight Cybersecurity" outfit than anything else. I'm guessing the real story is a lot different than what's presented here.
It doesn't say how they get the Gmail address to correlate back to the known length password though.
I see the "light on details" reasoning, but it doesn't go well with the sensationalist "1 in 10 Gmail users."
Surely Google doesn't allow high rate guessing, they must throttle or temporarily disable targeted accounts.
Information leakage is never desirable, but knowing the length should never make the difference between a password being crackable or not. This seems like a "huh, should fix that in the next version if we don't have anything better to do" bug, rather than a "buy a domain name and alert the world" bug.
I guess this is the flip side to marketing of bugs like Heartbleed. Now people are starting to use the same approach for trivial nonsense.
https://www.cerias.purdue.edu/site/blog/post/purdue_cerias_r...
This is much more dangerous if combined with a database dump containing password hashes. (but that's a different problem)
It's cool as an undergraduate student project, but until it's got a CVE assigned and/or better vetting I don't think it's very helpful to be sharing a FUD site like this.
You should probably at least vaguely understand how it works before criticising it.
Sure, they maintain a control TCP channel like ftp but that's a normal pattern. Falling back to other protocols is a necessity because some environments literally lock down everything apart from ARP, DHCP, DNS, HTTP/S and email.
Writing an application-level protocol to make UDP act like TCP or SCTP is a sign of failure to fix issues lower down.
Worse, UDP often gets dropped first when a network is saturated, and it's harder troubleshoot to because it's not connection-oriented stateful and doesn't work with existing tools... debugging now requires nonstandard knowledge inside an app. (Turning a browser into an OS is a metastasizing cancer.)
There are better ways to solve efficient, low-latency content distribution and bidirectional state RPC without reinventing everything every other year.
