At Black Hat USA 2016, doctoral candidates Mathy Vanhoef and Tom Van Goethem presented HEIST, an SSL/TLS vulnerability. HEIST is short for “HTTP Encrypted Information can be Stolen through TCP-windows.”
HEIST allows known compression-based attacks such as BREACH and CRIME to be performed directly in the browser with no network access required. As such, the ability to implement the vulnerability is easier as a man-in-the-middle (MitM) position is not required.
HEIST is a side-channel attack on HTTPS as instead of breaking the SSL/TLS encryption it leaks data exchanged through a compression attack. When the attacker knows the exact size of the compressed message, it can then make intelligent guesses at the content. Since compression used by most websites works by eliminating repetitions of text strings, correct guesses result in no increase in data size while incorrect guesses cause the response to grow larger. By process of elimination, content can be determined.
HEIST works with both the older HTTP/1.x and the new HTTP/2 protocols. In fact, HTTP/2 can enhance the speed of the attack with native parallel requests.
To mitigate the attack from a web advertisement, the use of third-party cookies should be disabled. The downside is most browsers enable receipt of third-party cookies by default and many services will not work unless third-party cookies are allowed. Site operators should understand that if you are using third party content, then your customers could be impacted. Ensure you trust third-parties.