Denys Rudyi - Fotolia
If there's a block of duplicated information on the page, the server sends that block only once. The HEIST script sends repeated requests to the website, varying each request byte by byte, trying to match a block of information on the page, such as a password or bank account number. Attempts to guess the data in a block that are wrong result in a larger file size, while if the guess matches the block there will be no appreciable increase in data size, as the compression function won't send duplicate blocks of data. Repeating this process thousands of times and analyzing the size of each resulting response allows the script to eventually determine the plaintext contained in the encrypted webpage. This stage of the attack can take a while, but if the page is loaded using the HTTP/2 protocol, the time taken is greatly reduced as all requests are made in a single HTTP/2 connection. Also the compression format used in HTTP/2, HPACK, makes it easier to predict the length of the header frame.
HTTP/2 is the first major upgrade to the Hypertext Transfer Protocol in over 15 years. Its main goal was to improve website performance, but security may have been weakened as a result; the new features in HTTP/2 have certainly increased the attack surface that hackers can exploit. Details of four vulnerabilities and attack vectors related to the HTTP/2 protocol are discussed in Imperva's report, "HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol," two of which were already known to have existed in implementations of HTTP/1.x. No one technology can secure sensitive data, but HTTPS is a core element of secure communications and any exploitable vulnerabilities put the entire internet at risk.
Delaying implementing the HTTP/2 protocol may be the best option for sites displaying sensitive data, at least until more research into HTTP/2 has been carried out. Those administrators pressured into upgrading to take advantage of HTTP/2's faster page load speeds should ensure existing vulnerabilities are fixed first; most sites are still vulnerable to BREACH, and although there are no reports that BREACH has successfully been used to hijack real accounts, HEIST-enabled BREACH attacks may change that. A detailed explanation of HEIST's attack methodology is available in Van Goethem and Vanhoef's research paper. Online tools such as Qualys' SSL server test can check whether a website is vulnerable to BREACH or other similar attacks.
Find out if Gmail security is threatened by the BREACH attack update
Discover the compression and encryption features in HTTP/2
Learn how opportunistic encryption can help web security