Denys Rudyi - Fotolia

Manage Learn to apply best practices and optimize your operations.

Are browsers using the HTTP/2 protocol vulnerable to HEIST attacks?

HEIST, a new HTTP/2 protocol exploit, can steal encrypted content from HTTPS traffic. Expert Michael Cobb explains how this attack works and how to stop it.

While the HTTP/2 protocol was designed to improve security and performance, it's also apparently enabled threat...

actors to do more damage with existing attacks. At Black Hat USA 2016, Ph.D. researchers at the University of Leuven in Belgium, Tom Van Goethem and Mathy Vanhoef, disclosed a web-based attack that can steal encrypted content from HTTPS traffic using nothing more than JavaScript. Until now, attacks against secure sockets layer (SSL) and transport layer security (TLS) like CRIME and BREACH have required the attacker to be able to observe or manipulate the traffic between the victim and the website they are visiting -- a man-in-the-middle attack -- making it difficult for the attacker to easily carry out the exploit. This new attack, called HEIST, which stands for "HTTP encrypted information can be stolen through TCP-windows," puts a user's privacy at risk by him simply visiting a compromised site controlled by the attacker, or a page running JavaScript-based ads, for example. What's more, the HEIST attack can leverage features of the HTTP/2 protocol to make the attack even faster.

HEIST is a side-channel attack on HTTPS. It doesn't actually break the encryption used, but by combining weaknesses and unexpected behavior in the interactions between the browser, HTTP, SSL/TLS and TCP, it can uncover enough information about the data exchanged in a cross-origin response in the browser to guess its content, even though it is encrypted and sent over HTTPS. It works by exploiting the way HTTPS responses are delivered over TCP to measure the size of an HTTPS response. JavaScript code is not allowed to know how many bytes of data are returned in a response, but the HEIST JavaScript code uses two new APIs, HTML5 Resource Timing and Fetch to generate a start time and a stop time, from which the size of an encrypted response can be inferred. Once the attacker knows the size of an encrypted response, he can then use either the BREACH or CRIME exploit techniques to brute force attack the plaintext contained inside it. Both the BREACH and the CRIME exploits are able to decrypt payloads by manipulating the file compression that sites use to reduce the amount of data transferred in order to make pages load more quickly.

If there's a block of duplicated information on the page, the server sends that block only once. The HEIST script sends repeated requests to the website, varying each request byte by byte, trying to match a block of information on the page, such as a password or bank account number. Attempts to guess the data in a block that are wrong result in a larger file size, while if the guess matches the block there will be no appreciable increase in data size, as the compression function won't send duplicate blocks of data. Repeating this process thousands of times and analyzing the size of each resulting response allows the script to eventually determine the plaintext contained in the encrypted webpage. This stage of the attack can take a while, but if the page is loaded using the HTTP/2 protocol, the time taken is greatly reduced as all requests are made in a single HTTP/2 connection. Also the compression format used in HTTP/2, HPACK, makes it easier to predict the length of the header frame.

HTTP/2 is the first major upgrade to the Hypertext Transfer Protocol in over 15 years. Its main goal was to improve website performance, but security may have been weakened as a result; the new features in HTTP/2 have certainly increased the attack surface that hackers can exploit. Details of four vulnerabilities and attack vectors related to the HTTP/2 protocol are discussed in Imperva's report, "HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol," two of which were already known to have existed in implementations of HTTP/1.x. No one technology can secure sensitive data, but HTTPS is a core element of secure communications and any exploitable vulnerabilities put the entire internet at risk.

Delaying implementing the HTTP/2 protocol may be the best option for sites displaying sensitive data, at least until more research into HTTP/2 has been carried out. Those administrators pressured into upgrading to take advantage of HTTP/2's faster page load speeds should ensure existing vulnerabilities are fixed first; most sites are still vulnerable to BREACH, and although there are no reports that BREACH has successfully been used to hijack real accounts, HEIST-enabled BREACH attacks may change that. A detailed explanation of HEIST's attack methodology is available in Van Goethem and Vanhoef's research paper. Online tools such as Qualys' SSL server test can check whether a website is vulnerable to BREACH or other similar attacks.

For the HEIST attack to work, a webpage must include or reflect part of the browser's request in its own content, and the user must have JavaScript and third-party cookies enabled. If there are reports of the HEIST attack being successfully used in the wild, users should consider turning on the private browsing mode offered by major browsers. This feature, which disables third-party cookies, would prevent the HEIST script from being able to authenticate with the HTTPS protected webpage. However, this would make many sites unusable, as would disabling JavaScript execution in the browser, the one other possible mitigation.

Next Steps

Find out if Gmail security is threatened by the BREACH attack update

Discover the compression and encryption features in HTTP/2

Learn how opportunistic encryption can help web security

This was last published in November 2016

Dig Deeper on Web browser security