HEIST attack on SSL/TLS that can grab personal info

August 10, 2016 | By Comodo SSL

Here comes news about a new HTTPS-targeted attack that could help cyber-criminals get away with sensitive personal info.

This new technique can attack the SSL/TLS and other secure channels purely in the browser and would help expose sensitive personal data, including encrypted emails, social security numbers etc. The two Belgian security researchers, Mathy Vanhoef and Tom Van Goethem, who have presented their latest work (on this web-based attack) at the Black Hat security conference in Las Vegas, have named the attack HEIST, which stands for HTTP Encrypted Information can be Stolen through TCP-Windows. HEIST functions by duping end-users by hiding a JavaScript file in a web ad or directly on a web-page. The JavaScript code performs two main functions. Firstly it fetches content via a hidden JavaScript call from a private page which would be holding sensitive information like credit card numbers, social security numbers, names, phone numbers etc. The second thing that the JavaScript does is that it uses, as the content is retrieved, a repeated probing mechanism of JavaScript calls, that helps pinpoint the size of the data embedded on the sensitive page.


In their research paper,  Mathy Vanhoef and Tom Van Goethem say- “…we introduce HEIST, a set of techniques that allows us to carry out attacks against SSL/TLS purely in the browser. More generally, and surprisingly, with HEIST it becomes possible to exploit certain flaws in network protocols without having to sniff actual traffic.”. They add- “HEIST abuses weaknesses and subtleties in the browser, and the underlying HTTP, SSL/TLS, and TCP layers. In particular, we discover a side-channel attack that leaks the exact size of any cross-origin response. This side-channel abuses the way responses are sent at the TCP level. Combined with the fact that SSL/TLS lacks length-hiding capabilities, HEIST can directly infer the length of the plaintext message. Concretely, this means that compression based attacks such as CRIME and BREACH can now be performed purely in the browser, by any malicious website or script, without requiring a man-in-the-middle position. Moreover, we also show that our length-exposing attacks can be used to obtain sensitive information from unwitting victims by abusing services on popular websites”.

How to block HEIST?

Mathy Vanhoef and Tom Van Goethem provide in their research paper an “overview of possible defense mechanisms that can be used to thwart attacks”. These include- preventing browser side-channel leak and disabling 3rd-party cookies at the browser level; blocking illicit requests and disabling compression at the HTTP level, and randomizing TCP congestion window and applying random padding at the network level. They say that almost all of these would, in fact, prove inadequate while it’s just disabling 3rd-party cookies that would work.

They conclude their paper by saying- “Finally, we have argued that it is difficult to defend against our attacks. One of the few, if not the only, adequate countermeasure is to disable third-party cookies.”


How to use gmail ssl encryption

Report states 8 out of 10 users are trojan infected >>

Posted in SSL

Be Sociable, Share!

Leave a Comment


* fields are mandatory