HEIST: HTTP Encrypted Information can be Stolen Through TCP-Windows

by Tom Van Goethem, Mathy Vanhoef Sept. 15, 2017 via www.blackhat.com submitted by belen_caty

We introduce HEIST, a set of techniques that allows us to carry out attacks against SSL/TLS purely in the browser. More generally, and surprisingly, with HEIST it becomes possible to exploit certain flaws in network protocols without having to sniff actual traffic. HEIST abuses weaknesses and subtleties in the browser, and the underlying HTTP, SSL/TLS, and TCP layers. Most importantly, we discover a side-channel attack that leaks the exact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level. Combined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the plaintext message. Concretely, this means that compression-based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring network access.


Steven Ulm 1 month ago

I had no doubt about it... between HTTPS or HTTP the difference is not that big...