[ecma]

I'm dumbfounded finding this link on the top page. In news today, we found out that stream ciphers retain [zp]text length and unpadded form data is insecure. The nuance which seems to be missing in the understanding is that TLS confidentiality never intended (AFAIK) to include plaintext size. If it did, there would be a very interesting tradeoff around on-wire size and size masking. Even so, random per-message padding with known (e.g. protocol defined) bounds could be defeated by capturing multiple/many valid authentication packets or whatever the target is.

The only (but still important) lesson here is to pad critical form data as a site owner (assuming randomness doesn't buy you much) or have a good user password such that knowing the length doesn't make brute achievable. Even do a pre-hashing step on the client if you can guarantee it will happen and care to do so. I'm sure smarter people than me have given good advice about this somewhere.

The most frustrating thing about this is the presumption to name something like this. Bug names have always bugged me (hah) but this is a bit absurd. It doesn't even seem that clever :/