HEIST is a method of attack to steal encrypted secrets from a communication with a Secure Website – without any need to man-in-the-middle (MITM) attacks!
Under the title “HTTP Encrypted Information can be Stolen through TCP-windows” scientist from the university Leuven named their attack. Their goal: The steal the encrypted information from HTTPS-Sessions. How effective the HEIST attack, which will be introduced on the Blackhat Conference, is, no-one can say yet.
By using this method, attacker could run CSRF Attacks and get the received information to authenticate against the website. TCP Windows are used by TCP/IP to optimise the data flow of network communication and cannot be controlled by the user. By using this and the manipulative approach, HEIST will steal the content from the website-visitor communication in a very tricky way.
The attack is mainly based on the fact that any change of the payload in a TCP-packet will increase the size of the TCP-Window. The BREACH attack uses this method by injecting similar information all the time and mixing the hunted character under this information. By using this method, the attacker can construct a YES/NO Oracle which helps to determinate the content of the TCP-Payloads.
HEIST can be disabled by deactivation of Third Party Cookies; which might lead to problems on some websites. There is a white paper, which explains HEIST in further detail: HEIST: HTTP Encrypted Information can be Stolen through TCP-windows
Theoretical so far
BREACH is a theoretical attack so far; or at least no practical BREACH tools and methods are known. HEIST might chance this, since it reduces the requirement of a MITM attack. If HEIST will really work – well, we will see in the next days! Stay tuned!