Not being into security much (if I can help it) I had to look up the term [1].<p>Basically it's a reference to how a (tightly) wrapped bike is still recognizable as being a bike.<p>[1] <a href="https://en.m.wikipedia.org/wiki/Bicycle_attack" rel="nofollow">https://en.m.wikipedia.org/wiki/Bicycle_attack</a>
If you learn the exact length of a password, you gain say 3-4 bits of entropy? 4 bits if there are sixteen possible password lengths, all equally likely.<p>4 bits is not nothing, and it makes most cracking attacks 16 times easier, but it's hopefully never going to be the difference between good security and bad.
It is surprising to me that modern browsers don't pad TLS (in TLS 1.3 padding is "free" in the sense that you don't need any extra bytes to say "this is padding") to fill the last packet.<p>Supposing MSS is 1500 for a link, how much longer can it conceivably take to send say 1500 bytes including 120 bytes of padding versus 1380 bytes?
It feels like browsers could fix this in a fairly simple way. Something like using a value for the form boundary that varies in length for each request, or a X-RandPad type header that has some variable length data?