The HTTPS Bicycle attack can result in the length of personal and secret data being exposed from a packet capture of a user’s HTTPS traffic. For example, the length of passwords and other data (such as GPS co-ordinates) can be determined simply by analysing the lengths of the encrypted traffic.Some of the key observations of this attack are as below: Requires a packet capture containing HTTPS (TLS) traffic from a browser to a website The TLS traffic must use a stream-based cipher Can reveal the lengths of unknown data as long as the length of the rest of the data is known – this includes passwords, GPS data and IP addresses Packet captures from several years ago could be vulnerable to this attack, with no mitigation possible The real world impact is unknown, as there are several prerequisites that may be hard to fulfill.This leads us into interesting discussions on the resilience of passwords as a form of authentication method.

Source: HTTPS Bicycle Attack – Obtaining Passwords From TLS Encrypted Browser Requests | Websense