Steal SSL Secrets with HEIST Attack


HEIST is a method of attack to steal encrypted secrets from a communication with a Secure Website – without any need to man-in-the-middle (MITM) attacks!

Under the title “HTTP Encrypted Information can be Stolen through TCP-windows” scientist from the university Leuven named their attack. Their goal: The steal the encrypted information from HTTPS-Sessions. How effective the HEIST attack, which will be introduced on the Blackhat Conference, is, no-one can say yet.

Attack by JavaScript

HEIST is based on the BREACH-attack which was introduced three years ago. Different to BREACH: The attacker is not required to run a MITM attack to intercept the information. He just created JavaScript Code which is injected into a website; for example by using XSS or XSRF attacks or malicious ads. This JavaScript Code measures the time for a TCP Reply. By using a mathematical approach about the timing of the TCP window, the method can determinate if a certain character is included.

By using this method, attacker could run CSRF Attacks and get the received information to authenticate against the website. TCP Windows are used by TCP/IP to optimise the data flow of network communication and cannot be controlled by the user. By using this and the manipulative approach, HEIST will steal the content from the website-visitor communication in a very tricky way.

The attack is mainly based on the fact that any change of the payload in a TCP-packet will increase the size of the TCP-Window. The BREACH attack uses this method by injecting similar information all the time and mixing the hunted character under this information. By using this method, the attacker can construct a YES/NO Oracle which helps to determinate the content of the TCP-Payloads.

HEIST can be disabled by deactivation of Third Party Cookies; which might lead to problems on some websites. There is a white paper, which explains HEIST in further detail: HEIST: HTTP Encrypted Information can be Stolen through TCP-windows

Theoretical so far

BREACH is a theoretical attack so far; or at least no practical BREACH tools and methods are known. HEIST might chance this, since it reduces the requirement of a MITM attack. If HEIST will really work – well, we will see in the next days! Stay tuned!

Be the first to comment

Leave a Reply

Your email address will not be published.