At Black Hat USA 2016, doctoral candidates Mathy Vanhoef and Tom Van Goethem presented HEIST, an SSL/TLS vulnerability. HEIST is short for “HTTP Encrypted Information can be Stolen through TCP-windows.”

The attack can be triggered simply by a JavaScript file, which may be hidden in a web advertisement or hosted directly on a webpage. Malicious code can then query a variety of pages protected by SSL/TLS and measure the precise file sizes of the encrypted data they transmit. HEIST works by exploiting the way HTTPS responses are delivered over TCP, which is a core protocol of the Internet. The result is private data such as passwords and credit card numbers could be exposed.

HEIST allows known compression-based attacks such as BREACH and CRIME to be performed directly in the browser with no network access required. As such, the ability to implement the vulnerability is easier as a man-in-the-middle (MitM) position is not required.

HEIST is a side-channel attack on HTTPS as instead of breaking the SSL/TLS encryption it leaks data exchanged through a compression attack. When the attacker knows the exact size of the compressed message, it can then make intelligent guesses at the content. Since compression used by most websites works by eliminating repetitions of text strings, correct guesses result in no increase in data size while incorrect guesses cause the response to grow larger. By process of elimination, content can be determined.

HEIST works with both the older HTTP/1.x and the new HTTP/2 protocols. In fact, HTTP/2 can enhance the speed of the attack with native parallel requests.

To mitigate the attack from a web advertisement, the use of third-party cookies should be disabled. The downside is most browsers enable receipt of third-party cookies by default and many services will not work unless third-party cookies are allowed. Site operators should understand that if you are using third party content, then your customers could be impacted. Ensure you trust third-parties.